Citrix NetScaler 1000V
Getting Started Guide
Citrix NetScaler 10.1
October 9, 2014
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates,
uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can be
determined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures:
•
•
•
•
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Citrix and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the United States Patent
and Trademark Office and in other countries. All other product names, company names, marks, logos, and symbols are trademarks of their respective owners.
© 2014 Cisco Systems, Inc. All rights reserved.
Contents
Getting Started with NetScaler 1000V.......................................................... 7
Understanding NetScaler 1000V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Switching Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Security and Protection Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Optimization Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Where Does a NetScaler Appliance Fit in the Network?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Citrix NetScaler as a Packet Forwarding Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
How a NetScaler Communicates with Clients and Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Understanding NetScaler-Owned IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How Traffic Flows Are Managed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Traffic Management Building Blocks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
A Simple Load Balancing Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Understanding Virtual Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Understanding Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Understanding Policies and Expressions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Processing Order of Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Features at a Glance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Application Switching and Traffic Management Features. . . . . . . . . . . . . . . . . . . . . . . . 18
Application Acceleration Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Application Security and Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
NetScaler 1000V Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Installing NetScaler 1000V Virtual Appliances on Nexus 1010/1110 . . . . . . . . . . . . . . . . . . . . . . .23
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Installing the VSBs in a High Availability Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Installing NetScaler 1000V in High Availability Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Verifying NetScaler 1000V Installation in High Availability Mode. . . . . . . . . . . . . . . . .28
Installing the License and Verifying the Resources in High Availability Mode. . . 32
Installing NetScaler 1000V in Standalone Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Installing NetScaler 1000V as a Standalone VSB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Verifying NetScaler 1000V Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Installing the License and Verifying the Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Replacing a Nexus Node in a High Availability Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
iii
Contents
Configuring a Replacement Primary Nexus Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Configuring a Replacement Secondary Nexus Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Installing SSL Card as an Field Replacement Unit (FRU). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Allocating bandwidth for crypto-offload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Installing NetScaler 1000V Virtual Appliances on Linux-KVM Platform. . . . . . . . . . . . . . . . . . . . 58
Prerequisites for Installing NetScaler VPX Virtual Appliances on Linux-KVM
Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Networking Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Properties Of Source Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Module Required. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Limitations and Usage Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
General Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Provisioning the NetScaler 1000V Virtual Appliance by using OpenStack. . . . . . . . . . . .62
Provisioning the NetScaler 1000V Virtual Appliance by using OpenStack
Using Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Provisioning the NetScaler 1000V Virtual Appliance by using OpenStack
Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Provisioning the NetScaler Virtual Appliance by using the Virtual Machine
Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Adding Additional Interfaces to NetScaler VPX by using Virtual Machine
Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Provisioning the NetScaler Virtual Appliance by using the virsh Program. . . . . . . . . . . . 76
Adding Additional Interfaces to NetScaler VPX using virsh Program. . . . . . . . . . . . 78
Installing NetScaler 1000V Virtual Appliances on VMware ESX. . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Prerequisites for Installing NetScaler Virtual Appliances on VMware. . . . . . . . . . . . . . . . . 80
Installing NetScaler 1000V on VMware ESX 5.0 or 5.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
To install NetScaler 1000V on VMware ESX 5.0 or 5.1 by using VMware
vSphere Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Verifying NetScaler 1000V Installation on VMware ESX. . . . . . . . . . . . . . . . . . . . . . . . . 88
Installing the License and Verifying the Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Upgrading to a Later Build within Release 10.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Upgrading a Standalone NetScaler Appliance to a Later Build. . . . . . . . . . . . . . . . . . . . . . . .90
To upgrade a standalone NetScaler appliance running release 10.1 to a
later build by using the command line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
To upgrade a standalone NetScaler running release 10.1 to a later build by
using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Upgrading a NetScaler High Availability Pair to a Later Build. . . . . . . . . . . . . . . . . . . . . . . . . 93
To upgrade a NetScaler high availability pair to a later build by using the
command line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
iv
Getting Started with Citrix NetScaler 1000V
Downgrading to an Earlier Build within Release 10.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Downgrading a Standalone NetScaler to an Earlier Build. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
To downgrade a standalone NetScaler to an earlier build. . . . . . . . . . . . . . . . . . . . . . . . 96
Downgrading a NetScaler High Availability Pair to an Earlier Build. . . . . . . . . . . . . . . . . . . 97
Setting Up vPath on the NetScaler 1000V VPX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
How vPath Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Step 1: Configuring vPath on a NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
To configure vPath on a NetScaler by using the command line interface. . . . . . . .99
To configure vPath on a NetScaler by using the graphical user interface. . . . . . 100
Step 2: Configuring Load Balancing of Backend Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Step 3: Binding Backend Servers to a Port Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
To bind backend servers to a port profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Behavioral Aspects of NetScaler with vPath. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
NetScaler Features not Supported on the NetScaler 1000V Virtual Appliance. . . . . . . . . . . 103
Configuring a NetScaler 1000V Virtual Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
NetScaler 1000V FAQs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
NetScaler 1000V installed on Cisco Nexus 1010/1110. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
NetScaler 1000V installed on VMware ESX 5.0/5.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Troubleshooting a NetScaler 1000V installed on a Nexus 1010/1110 appliance. . . . . . . . . 108
v
Contents
vi
Getting Started with NetScaler 1000V
The NetScaler 1000V virtual appliance is an application delivery controller that
optimizes, secures, and controls the delivery of all enterprise and cloud services. You
can deploy it as a VSB on a Nexus 1010/1110 cloud services platform or as a virtual
machine on VMware ESX platform. After installing the VSB or VM, set up vPath on the
virtual appliance so that it can communicate with the servers.
The NetScaler 1000V virtual appliance supports many of the features of a physical
NetScaler appliance. For a list of the features not supported, see "NetScaler Features
not Supported on Nexus 1010/1110 and VMware ESX."
For more information about Nexus 1010/1110, see "http://www.cisco.com/en/US/
prod/collateral/switches/ps9441/ps9902/white_paper_c07-603623.html."
For more information about VMware ESX, see "http://www.vmware.com."
Understanding NetScaler 1000V
A NetScaler 1000V virtual appliance is an application switch that performs applicationspecific traffic analysis to intelligently distribute, optimize, and secure Layer 4-Layer 7
(L4–L7) network traffic for web applications. For example, a NetScaler bases load
balancing decisions on individual HTTP requests instead of on long-lived TCP
connections, so that the failure or slowdown of a server is managed much more quickly
and with less disruption to clients.
Switching Features
When deployed in front of application servers, a NetScaler ensures optimal distribution
of traffic by the way in which it directs client requests. Administrators can segment
application traffic according to information in the body of an HTTP or TCP request, and
on the basis of L4–L7 header information such as URL, application data type, or cookie.
Numerous load balancing algorithms and extensive server health checks improve
application availability by ensuring that client requests are directed to the appropriate
servers.
Security and Protection Features
NetScaler security and protection features protect web applications from Application
Layer attacks. A NetScaler allows legitimate client requests and can block malicious
requests. It provides built-in defenses against denial-of-service (DoS) attacks and
supports features that protect against legitimate surges in application traffic that
would otherwise overwhelm the servers. An available built-in firewall protects web
applications from Application Layer attacks, including buffer overflow exploits, SQL
7
Getting Started with NetScaler 1000V
injection attempts, cross-site scripting attacks, and more. In addition, the firewall
provides identity theft protection by securing confidential corporate information and
sensitive customer data.
Optimization Features
Optimization features offload resource-intensive operations, such as Secure Sockets
Layer (SSL) processing, data compression, client keep-alive, TCP buffering, and the
caching of static and dynamic content from servers. This improves the performance of
the servers in the server farm and therefore speeds up applications. A NetScaler
supports several transparent TCP optimizations, which mitigate problems caused by
high latency and congested network links, accelerating the delivery of applications
while requiring no configuration changes to clients or servers.
Where Does a NetScaler Appliance Fit in the
Network?
A NetScaler appliance resides between the clients and the servers, so that client
requests and server responses pass through it. In a typical installation, virtual servers
configured on the appliance provide connection points that clients use to access the
applications behind the appliance. In this case, the appliance owns public IP addresses
that are associated with its virtual servers, while the real servers are isolated in a
private network. It is also possible to operate the appliance in a transparent mode as
an L2 bridge or L3 router, or even to combine aspects of these and other modes.
Citrix NetScaler as a Packet Forwarding Device
A NetScaler appliance can function as a packet forwarding device, and this mode of
operation is called L3 mode. With L3 mode enabled, the appliance forwards any
received unicast packets that are destined for an IP address that does not belong to the
appliance, if there is a route to the destination. The appliance can also route packets
between VLANs.
In both modes of operation, L2 and L3, the appliance generally drops packets that are
in:
w Multicast frames
w Unknown protocol frames destined for an appliance's MAC address (non-IP and nonARP)
w Spanning Tree protocol (unless BridgeBPDUs is ON)
For a non-TCP service, if the client receives a full sized packet (1500 bytes), then the
NetScaler sends an ICMP error (fragmentation needed error) to the client. By default,
ICMP error-message generation is enabled. You can change the state by using the
following command: set L3param -icmpErrGenerate (ENABLED ¦ DISABLED). After the
error is generated, the NetScaler IP fragments the original packet, vPath encapsulates
each of the individual fragments and sends it back to the server.
8
Getting Started with Citrix NetScaler 1000V
How a NetScaler Communicates with Clients and
Servers
A NetScaler appliance is usually deployed in front of a server farm and functions as a
transparent TCP proxy between clients and servers, without requiring any client-side
configuration. This basic mode of operation is called Request Switching technology and
is the core of NetScaler functionality. Request Switching enables an appliance to
multiplex and offload the TCP connections, maintain persistent connections, and
manage traffic at the request (application layer) level. This is possible because the
appliance can separate the HTTP request from the TCP connection on which the
request is delivered.
Depending on the configuration, an appliance might process the traffic before
forwarding the request to a server. For example, if the client attempts to access a
secure application on the server, the appliance might perform the necessary SSL
processing before sending traffic to the server.
To facilitate efficient and secure access to server resources, an appliance uses a set of
IP addresses collectively known as NetScaler-owned IP addresses. To manage your
network traffic, you assign NetScaler-owned IP addresses to virtual entities that
become the building blocks of your configuration. For example, to configure load
balancing, you create virtual servers to receive client requests and distribute them to
services, which are entities representing the applications on your servers.
Understanding NetScaler-Owned IP Addresses
To function as a proxy, a NetScaler appliance uses a variety of IP addresses. The key
NetScaler-owned IP addresses are:
NetScaler IP (NSIP) address
The NSIP address is the IP address for management and general system access to the
appliance itself, and for communication between appliances in a high availability
configuration.
Virtual server IP (VIP) address
A VIP address is the IP address associated with a virtual server. It is the public IP
address to which clients connect. An appliance managing a wide range of traffic may
have many VIPs configured.
Subnet IP (SNIP) address
A SNIP address is used in connection management and server monitoring. You can
specify multiple SNIP addresses for each subnet. SNIP addresses can be bound to a
VLAN.
IP Set
An IP set is a set of IP addresses, which are configured on the appliance as SNIP . An
IP set is identified with a meaningful name that helps in identifying the usage of the
IP addresses contained in it.
Net Profile
A net profile (or network profile) contains an IP address or an IP set. A net profile
can be bound to load balancing or content switching virtual servers, services, service
9
Getting Started with NetScaler 1000V
groups, or monitors. During communication with physical servers or peers, the
appliance uses the addresses specified in the profile as source IP addresses.
How Traffic Flows Are Managed
Because a NetScaler appliance functions as a TCP proxy, it translates IP addresses
before sending packets to a server. When you configure a virtual server, clients connect
to a VIP address on the NetScaler instead of directly connecting to a server. As
determined by the settings on the virtual server, the appliance selects an appropriate
server and sends the client's request to that server. By default, the appliance uses a
SNIP address to establish connections with the server, as shown in the following figure.
10
Getting Started with Citrix NetScaler 1000V
Figure 1-1. Virtual Server Based Connections
In the absence of a virtual server, when an appliance receives a request, it
transparently forwards the request to the server. This is called the transparent mode of
operation. When operating in transparent mode, an appliance translates the source IP
addresses of incoming client requests to the SNIP address but does not change the
destination IP address. For this mode to work, L2 or L3 mode has to be configured
appropriately.
For cases in which the servers need the actual client IP address, the appliance can be
configured to modify the HTTP header by inserting the client IP address as an
additional field, or configured to use the client IP address instead of a SNIP address for
connections to the servers.
11
Getting Started with NetScaler 1000V
Traffic Management Building Blocks
The configuration of a NetScaler appliance is typically built up with a series of virtual
entities that serve as building blocks for traffic management. The building block
approach helps separate traffic flows. Virtual entities are abstractions, typically
representing IP addresses, ports, and protocol handlers for processing traffic. Clients
access applications and resources through these virtual entities. The most commonly
used entities are virtual servers and services. Virtual servers represent groups of
servers in a server farm or remote network, and services represent specific applications
on each server.
Most features and traffic settings are enabled through virtual entities. For example,
you can configure an appliance to compress all server responses to a client that is
connected to the server farm through a particular virtual server. To configure the
appliance for a particular environment, you need to identify the appropriate features
and then choose the right mix of virtual entities to deliver them. Most features are
delivered through a cascade of virtual entities that are bound to each other. In this
case, the virtual entities are like blocks being assembled into the final structure of a
delivered application. You can add, remove, modify, bind, enable, and disable the
virtual entities to configure the features. The following figure shows the concepts
covered in this section.
Figure 1-2. How Traffic Management Building Blocks Work
A Simple Load Balancing Configuration
In the example shown in the following figure, the NetScaler appliance is configured to
function as a load balancer. For this configuration, you need to configure virtual
entities specific to load balancing and bind them in a specific order. As a load balancer,
12
Getting Started with Citrix NetScaler 1000V
an appliance distributes client requests across several servers and thus optimizes the
utilization of resources.
The basic building blocks of a typical load balancing configuration are services and load
balancing virtual servers. The services represent the applications on the servers. The
virtual servers abstract the servers by providing a single IP address to which the clients
connect. To ensure that client requests are sent to a server, you need to bind each
service to a virtual server. That is, you must create services for every server and bind
the services to a virtual server. Clients use the VIP address to connect to a NetScaler
appliance. When the appliance receives client requests sent to the VIP address, it
sends them to a server determined by the load balancing algorithm. Load balancing
uses a virtual entity called a monitor to track whether a specific configured service
(server plus application) is available to receive requests.
Figure 1-3. Load Balancing Virtual Server, Services, and Monitors
In addition to configuring the load balancing algorithm, you can configure several
parameters that affect the behavior and performance of the load balancing
configuration. For example, you can configure the virtual server to maintain
persistence based on source IP address. The appliance then directs all requests from
any specific IP address to the same server.
Understanding Virtual Servers
A virtual server is a named NetScaler entity that external clients can use to access
applications hosted on the servers. It is represented by an alphanumeric name, virtual
IP (VIP) address, port, and protocol. The name of the virtual server is of only local
significance and is designed to make the virtual server easier to identify. When a client
13
Getting Started with NetScaler 1000V
attempts to access applications on a server, it sends a request to the VIP instead of the
IP address of the physical server. When the appliance receives a request at the VIP
address, it terminates the connection at the virtual server and uses its own connection
with the server on behalf of the client. The port and protocol settings of the virtual
server determine the applications that the virtual server represents. For example, a
web server can be represented by a virtual server and a service whose port and
protocol are set to 80 and HTTP, respectively. Multiple virtual servers can use the same
VIP address but different protocols and ports.
Virtual servers are points for delivering features. Most features, like compression,
caching, and SSL offload, are normally enabled on a virtual server. When the appliance
receives a request at a VIP address, it chooses the appropriate virtual server by the
port on which the request was received and its protocol. The appliance then processes
the request as appropriate for the features configured on the virtual server.
In most cases, virtual servers work in tandem with services. You can bind multiple
services to a virtual server. These services represent the applications running on
physical servers in a server farm. After the appliance processes requests received at a
VIP address, it forwards them to the servers as determined by the load balancing
algorithm configured on the virtual server. The following figure illustrates these
concepts.
Figure 1-4. Multiple Virtual Servers with a Single VIP Address
The preceding figure shows a configuration consisting of two virtual servers with a
common VIP address but different ports and protocols. Each of the virtual servers has
two services bound to it. The services s1 and s2 are bound to VS_HTTP and represent
14
Getting Started with Citrix NetScaler 1000V
the HTTP applications on Server 1 and Server 2. The services s3 and s4 are bound to
VS_SSL and represent the SSL applications on Server 2 and Server 3 (Server 2 provides
both HTTP and SSL applications). When the appliance receives an HTTP request at the
VIP address, it processes the request as specified by the settings of VS_HTTP and sends
it to either Server 1 or Server 2. Similarly, when the appliance receives an HTTPS
request at the VIP address, it processes it as specified by the settings of VS_SSL and it
sends it to either Server 2 or Server 3.
Virtual servers are not always represented by specific IP addresses, port numbers, or
protocols. They can be represented by wildcards, in which case they are known as
wildcard virtual servers. For example, when you configure a virtual server with a
wildcard instead of a VIP, but with a specific port number, the appliance intercepts and
processes all traffic conforming to that protocol and destined for the predefined port.
For virtual servers with wildcards instead of VIPs and port numbers, the appliance
intercepts and processes all traffic conforming to the protocol.
Virtual servers can be grouped into the following categories:
Load balancing virtual server
Receives and redirects requests to an appropriate server. Choice of the appropriate
server is based on which of the various load balancing methods the user configures.
Cache redirection virtual server
Redirects client requests for dynamic content to origin servers, and requests for
static content to cache servers. Cache redirection virtual servers often work in
conjunction with load balancing virtual servers.
Content switching virtual server
Directs traffic to a server on the basis of the content that the client has requested.
For example, you can create a content switching virtual server that directs all client
requests for images to a server that serves images only. Content switching virtual
servers often work in conjunction with load balancing virtual servers.
SSL virtual server
Receives and decrypts SSL traffic, and then redirects to an appropriate server.
Choosing the appropriate server is similar to choosing a load balancing virtual server.
Understanding Services
Services represent applications on a server. While services are normally combined with
virtual servers, in the absence of a virtual server, a service can still manage
application-specific traffic. For example, you can create an HTTP service on a
NetScaler appliance to represent a web server application. When the client attempts to
access a web site hosted on the web server, the appliance intercepts the HTTP requests
and creates a transparent connection with the web server.
In service-only mode, an appliance functions as a proxy. It terminates client
connections, uses a SNIP address to establish a connection to the server, and translates
the destination IP addresses of incoming client requests to a SNIP address. Although the
clients send requests directly to the IP address of the server, the server sees them as
coming from the SNIP address. The appliance translates the IP addresses, port
numbers, and sequence numbers.
15
Getting Started with NetScaler 1000V
A service is also a point for applying features. Consider the example of SSL
acceleration. To use this feature, you must create an SSL service and bind an SSL
certificate to the service. When the appliance receives an HTTPS request, it decrypts
the traffic and sends it, in clear text, to the server. Only a limited set of features can
be configured in the service-only case.
Services use entities called monitors to track the health of applications. Every service
has a default monitor, which is based on the service type, bound to it. As specified by
the settings configured on the monitor, the appliance sends probes to the application at
regular intervals to determine its state. If the probes fail, the appliance marks the
service as down. In such cases, the appliance responds to client requests with an
appropriate error message or re-routes the request as determined by the configured
load balancing policies.
Understanding Policies and Expressions
A policy defines specific details of traffic filtering and management on a NetScaler. It
consists of two parts: the expression and the action. The expression defines the types
of requests that the policy matches. The action tells the NetScaler what to do when a
request matches the expression. As an example, the expression might be to match a
specific URL pattern to a type of security attack, with the action being to drop or reset
the connection. Each policy has a priority, and the priorities determine the order in
which the policies are evaluated.
When a NetScaler receives traffic, the appropriate policy list determines how to
process the traffic. Each policy on the list contains one or more expressions, which
together define the criteria that a connection must meet to match the policy.
For all policy types except Rewrite policies, a NetScaler implements only the first
policy that a request matches, not any additional policies that it might also match. For
Rewrite policies, the NetScaler evaluates the policies in order and, in the case of
multiple matches, performs the associated actions in that order. Policy priority is
important for getting the results you want.
Processing Order of Features
Depending on requirements, you can choose to configure multiple features. For
example, you might choose to configure both compression and SSL offload. As a result,
an outgoing packet might be compressed and then encrypted before being sent to the
client.
The following figure shows the L7 packet flow in the NetScaler.
16
Getting Started with Citrix NetScaler 1000V
Figure 1-5. L7 Packet Flow Diagram
The following figure shows the DataStream packet flow in the NetScaler. DataStream is
supported for MySQL and MS SQL databases.
17
Getting Started with NetScaler 1000V
Figure 1-6. DataStream Packet Flow Diagram
Features at a Glance
Citrix NetScaler features can be configured independently or in combinations to
address specific needs. Although some features fit more than one category, the
numerous NetScaler features can generally be categorized as application switching and
traffic management features, application acceleration features, and application
security and firewall features.
To understand the order in which the features perform their processing, see "Processing
Order of Features."
Application Switching and Traffic Management Features
SSL Offloading
Transparently offloads SSL encryption and decryption from web servers, freeing
server resources to service content requests. SSL places a heavy burden on an
application's performance and can render many optimization measures ineffective.
SSL offload and acceleration allow all the benefits of Citrix Request Switching
technology to be applied to SSL traffic, ensuring secure delivery of web applications
without degrading end-user performance.
Access Control Lists
Compares incoming packets to Access Control Lists (ACLs). If a packet matches an
ACL rule, the action specified in the rule is applied to the packet. Otherwise, the
default action (ALLOW) is applied and the packet is processed normally. For the
appliance to compare incoming packets to the ACLs, you have to apply the ACLs. All
ACLs are enabled by default, but you have to apply them in order for the NetScaler
18
Getting Started with Citrix NetScaler 1000V
to compare incoming packets against them. If an ACL is not required to be a part of
the lookup table, but still needs to be retained in the configuration, it should be
disabled before the ACLs are applied. A NetScaler does not compare incoming
packets to disabled ACLs.
Load Balancing
Load balancing decisions are based on a variety of algorithms, including round robin,
least connections, weighted least bandwidth, weighted least packets, minimum
response time, and hashing based on URL, domain source IP, or destination IP. Both
the TCP and UDP protocols are supported, so the NetScaler can load balance all
traffic that uses those protocols as the underlying carrier (for example, HTTP, HTTPS,
UDP, DNS, NNTP, and general firewall traffic). In addition, the NetScaler can maintain
session persistence based on source IP, cookie, server, group, or SSL session. It allows
users to apply custom Extended Content Verification (ECV) to servers, caches,
firewalls and other infrastructure devices to ensure that these systems are
functioning properly and are providing the right content to users. It can also perform
health checks using ping, TCP, or HTTP URL, and the user can create monitors based
on Perl scripts.
Traffic Domains
Traffic domains provide a way to create logical ADC partitions within a single
NetScaler appliance. They enable you to segment network traffic for different
applications. You can use traffic domains to create multiple isolated environments
whose resources do not interact with each other. An application belonging to a
specific traffic domain communicates only with entities, and processes traffic, within
that domain. Traffic belonging to one traffic domain cannot cross the boundary of
another traffic domain. Therefore, you can use duplicate IP addresses on the
appliance as long as an addresses is not duplicated within the same domain.
Network Address Translation
Network address translation (NAT) involves modification of the source and/or
destination IP addresses, and/or the TCP/UDP port numbers, of IP packets that pass
through the NetScaler appliance. Enabling NAT on the appliance enhances the
security of your private network, and protects it from a public network such as the
Internet, by modifying your network's source IP addresses when data passes through
the NetScaler.
The NetScaler appliance supports the following types of network address translation:
INAT—In Inbound NAT (INAT), an IP address (usually public) configured on the
NetScaler appliance listens to connection requests on behalf of a server. For a
request packet received by the appliance on a public IP address, the NetScaler
replaces the destination IP address with the private IP address of the server. In other
words, the appliance acts as a proxy between clients and the server. INAT
configuration involves INAT rules, which define a 1:1 relationship between the IP
address on the NetScaler appliance and the IP address of the server.
RNAT—In Reverse Network Address Translation (RNAT), for a session initiated by a
server, the NetScaler appliance replaces the source IP address in the packets
generated by the server with an IP address (type SNIP) configured on the appliance.
The appliance thereby prevents exposure of the server's IP address in any of the
packets generated by the server. An RNAT configuration involves an RNAT rule, which
19
Getting Started with NetScaler 1000V
specifies a condition. The appliance performs RNAT processing on those packets that
match the condition.
Stateless NAT46 Translation—Stateless NAT46 enables communication between IPv4
and IPv6 networks, by way of IPv4 to IPv6 packet translation and vice versa, without
maintaining any session information on the NetScaler appliance. A stateless NAT46
configuration involves an IPv4-IPv6 INAT rule and an NAT46 IPv6 prefix.
Stateful NAT64 Translation—The stateful NAT64 feature enables communication
between IPv4 clients and IPv6 servers through IPv6 to IPv4 packet translation, and
vice versa, while maintaining session information on the NetScaler appliance. A
stateful NAT64 configuration involves an NAT64 rule and an NAT64 IPv6 prefix.
Multipath TCP Support
NetScaler appliances support Multipath TCP (MPTCP). MPTCP is a TCP/IP protocol
extension that identifies and uses multiple paths available between hosts to maintain
the TCP session. You must enable MPTCP on a TCP profile and bind it to a virtual
server. When MPTCP is enabled, the virtual server functions as an MPTCP gateway
and converts MPTCP connections with the clients to TCP connections that it
maintains with the servers.
Content Switching
Determines the server to which to send the request on the basis of configured
content switching policies. Policy rules can be based on the IP address, URL, and
HTTP headers. This allows switching decisions to be based on user and device
characteristics such as who the user is, what type of agent is being used, and what
content the user requested.
TCP Optimization
You can use TCP profiles to optimize TCP traffic. TCP profiles define the way that
NetScaler virtual servers process TCP traffic. Administrators can use the built-in TCP
profiles or configure custom profiles. After defining a TCP profile, you can bind it to
a single virtual server or to multiple virtual servers.
Some of the key optimization features that can be enabled by TCP profiles are:
w TCP keep-alive—Checks the operational status of the peers at specified time
intervals to prevent the link from being broken.
w Selective Acknowledgment (SACK)— Improves the performance of data
transmission, especially in long fat networks (LFNs).
w TCP window scaling— Allows efficient transfer of data over long fat networks
(LFNs).
DataStream
The NetScaler DataStream feature provides an intelligent mechanism for request
switching at the database layer by distributing requests on the basis of the SQL query
being sent.
When deployed in front of database servers, a NetScaler ensures optimal distribution
of traffic from the application servers and Web servers. Administrators can segment
traffic according to information in the SQL query and on the basis of database
names, user names, character sets, and packet size.
20
Getting Started with Citrix NetScaler 1000V
You can configure load balancing to switch requests according to load balancing
algorithms, or you can elaborate the switching criteria by configuring content
switching to make a decision based on SQL query parameters, such as user name,
database names, and command parameters. You can further configure monitors to
track the states of database servers.
The advanced policy infrastructure on the NetScaler appliance includes expressions
that you can use to evaluate and process the requests. The advanced expressions
evaluate traffic associated with MySQL database servers. You can use request-based
expressions (expressions that begin with MYSQL.CLIENT and MYSQL.REQ) in
advanced policies to make request switching decisions at the content switching
virtual server bind point and response-based expressions (expressions that begin with
MYSQL.RES) to evaluate server responses to user-configured health monitors.
Note: DataStream is supported for MySQL and MS SQL databases.
Application Acceleration Features
AppCompress
Uses the gzip compression protocol to provide transparent compression for HTML and
text files. The typical 4:1 compression ratio yields up to 50% reduction in bandwidth
requirements out of the data center. It also results in significantly improved end-user
response time, because it reduces the amount of data that must be delivered to the
user’s browser.
Cache Redirection
Manages the flow of traffic to a reverse proxy, transparent proxy, or forward proxy
cache farm. Inspects all requests, and identifies non-cacheable requests and sends
them directly to the origin servers over persistent connections. By intelligently
redirecting non-cacheable requests back to the origin web servers, the NetScaler
appliance frees cache resources and increases cache hit rates while reducing overall
bandwidth consumption and response delays for these requests.
AppCache
Helps optimize web content and application data delivery by providing a fast inmemory HTTP/1.1 and HTTP/1.0 compliant web caching for both static and dynamic
content. This on-board cache stores the results of incoming application requests even
when an incoming request is secured or the data compressed, and then reuses the
data to fulfill subsequent requests for the same information. By serving data directly
from the on-board cache, the appliance can reduce page regeneration times by
eliminating the need to funnel static and dynamic content requests to the server.
TCP Buffering
Buffers the server’s response and delivers it to the client at the client’s speed, thus
offloading the server faster and thereby improving the performance of web sites.
Application Security and Firewall Features
Denial of Service Attack (DoS) Defense
Detects and stops malicious distributed denial-of-service (DDoS) attacks and other
types of malicious attacks before they reach your servers, preventing them from
21
Getting Started with NetScaler 1000V
affecting network and application performance. The NetScaler appliance identifies
legitimate clients and elevates their priority, leaving suspect clients unable to
consume a disproportionate percentage of resources and cripple your site. The
appliance provides application-level protection from the following types of malicious
attacks:
w SYN flood attacks
w Pipeline attacks
w Teardrop attacks
w Land attacks
w Fraggle attacks
w Zombie connection attacks
The appliance aggressively defends against these types of attacks by preventing the
allocation of server resources for these connections. This insulates servers from the
overwhelming flood of packets associated with these events.
The appliance also protects network resources from ICMP based attacks by using
ICMP rate limiting and aggressive ICMP packet inspection. It performs strong IP
reassembly, drops a variety of suspicious and malformed packets, and applies Access
Control Lists (ACLs) to site traffic for further protection.
Content Filtering
Provides protection from malicious attacks for web sites at the Layer 7 level. The
appliance inspects each incoming request according to user-configured rules based
on HTTP headers, and performs the action the user configured. Actions can include
resetting the connection, dropping the request, or sending an error message to the
user’s browser. This allows the appliance to screen unwanted requests and reduces
your servers’ exposure to attacks.
This feature can also analyze HTTP GET and POST requests and filter out known bad
signatures, allowing it to defend your servers against HTTP-based attacks.
Responder
Functions like an advanced filter and can be used to generate responses from the
appliance to the client. Some common uses of this feature are generation of redirect
responses, user defined responses, and resets.
Rewrite
Modifies HTTP headers and body text. You can use the rewrite feature to add HTTP
headers to an HTTP request or response, make modifications to individual HTTP
headers, or delete HTTP headers. It also enables you to modify the HTTP body in
requests and responses.
When the appliance receives a request or sends a response, it checks for rewrite
rules, and if applicable rules exist, it applies them to the request or response before
passing it on to the web server or client computer.
Priority Queuing
Prioritizes user requests to ensure that the most important traffic is serviced first
during surges in request volume. You can establish priority based on request URLs,
22
Getting Started with Citrix NetScaler 1000V
cookies, or a variety of other factors. The appliance places requests in a three-tier
queue based on their configured priority, enabling business-critical transactions to
flow smoothly even during surges or site attacks.
Surge Protection
Regulates the flow of user requests to servers and controls the number of users that
can simultaneously access the resources on the servers, queuing any additional
requests once your servers have reached their capacity. By controlling the rate at
which connections can be established, the appliance blocks surges in requests from
being passed on to your servers, thus preventing site overload.
Application Firewall
Protects applications from misuse by hackers and malware, such as cross site
scripting attacks, buffer overflow attacks, SQL injection attacks, and forceful
browsing, by filtering traffic between each protected web server and users that
connect to any web site on that web server. The application firewall examines all
traffic for evidence of attacks on web server security or misuse of web server
resources, and takes the appropriate action to prevent these attacks from
succeeding.
NetScaler 1000V Licensing
You can use a NetScaler 1000V virtual appliance for 120 days without a license. Until
you install a license, throughput is limited to 500 Mbps. At the end of the trial period,
you must purchase and install a valid license on the virtual appliance. NetScaler 1000V
licensing is separate from Citrix-distributed NetScaler VPX licensing. For license
installation instructions in standalone mode on Nexus 1010/1110, see "Installing the
License and Verifying the Resources." For license installation instructions in HA mode on
Nexus 1010/1110, see "Installing the License and Verifying the Resources in High
Availability Mode." For license installation instructions on VMware ESX, see "Installing
the License and Verifying the Resources on VMware ESX."
All types of license require 20 GB of disk space and seven virtual network interfaces
(five data, one management, and one internal).
Important: The internal interface (0/2) is used for communication between the
NetScaler 1000V virtual appliance and the Nexus 1010/1110 appliance. Do not
configure it to carry any data or control traffic. The 0/2 interface is not available on the
NetScaler 1000V virtual appliance hosted on a VMware ESX appliance.
Installing NetScaler 1000V Virtual Appliances
on Nexus 1010/1110
NetScaler 1000V on Nexus 1010/1110 can be deployed in a standalone mode or in a high
availability (HA) mode. If you deploy NetScaler 1000V virtual appliances in an HA mode,
Citrix recommends that you deploy them on separate Nexus 1010/1110 appliances that
are deployed in HA mode.
23
Getting Started with NetScaler 1000V
If one of the Nexus nodes in an HA setup goes down and is replaced, a new NetScaler
1000V node must be installed on the new Nexus node. Then, the configuration of the
new NetScaler 1000V node must be synchronized with the configuration of the existing
NetScaler 1000V node.
You should assign only pass-through interfaces to NetScaler 1000V for data ports. A
pass-through interface is owned by the VSB and cannot be shared by other VSBs. With
pass-through interfaces, use Cisco's Flexible Network option (described as "Network
Option 5" in the white paper available at "http://www.cisco.com/en/US/prod/
collateral/switches/ps9441/ps9902/white_paper_c07-603623.html.") You can assign a
shared interface to the management port (0/1).
After you install NetScaler 1000V on Nexus 1010/1110, set up vPath on the new VM so
that it can communicate with the servers. For more information about vPATH, see "
Setting Up vPath on the NetScaler 1000V."
Prerequisites
Before you begin installing NetScaler 1000V as a VSB, be sure to:
w Install the Cisco Nexus 1010/1110 Virtual Services Appliance and connect it to the
network. For instructions, see the Cisco Nexus 1010 Virtual Services Appliance
Hardware Installation Guide.
w Log on to the CLI in EXEC mode.
w Know the name of the NetScaler 1000V VSB that you want to create.
w Know the name of the OVA file that you will use.
w Know the Management IP address, subnet mask, default gateway, and logon
credentials.
w If deploying NetScaler 1000V VSBs in a high availability (HA) mode, first deploy
Nexus 1010/1110 appliances in HA mode.
w For an HA deployment, know the management IP address and host name of the
primary node and the secondary node.
w Verify that the Cisco Nexus 1010/1110 appliance and NetScaler 1000V VSB share the
same management VLAN.
Note:
Do not change the management VLAN on a VSB. The management VLAN is inherited
from Cisco Nexus 1010/1110, so any changes to the management VLAN are applied
to the Cisco Nexus 1010/1110 and all of its hosted VSBs.
Note: NetScaler1000V gets provisioned with nine virtual interfaces from 10.5-52.x
release onwards on Nexus1010/1110 Platforms. Releases prior to 10.5.52x get
provisioned with seven virtual interfaces.
24
Getting Started with Citrix NetScaler 1000V
Installing the VSBs in a High Availability Setup
NetScaler 1000V appliances in high availability (HA) mode should be installed on
separate Nexus appliances in an HA setup. After deploying the VSBs and assigning
resources to the them, verify that installation was successful and the configuration is
as you intended.
If you have not purchased a license, the trial usage period begins with installation. If
you have purchased a license, install it and then verify that resources are correctly
allocated.
The following topics describe the installation tasks:
1. Installing NetScaler 1000V in High Availability Mode on page 25
2. Verifying NetScaler 1000V Installation in High Availability Mode on page 28
3. Installing the License and Verifying the Resources in High Availability Mode on page
32
Installing NetScaler 1000V in High Availability Mode
1. Deploy NetScaler 1000V.
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/
Z.
switch(config)# virtual-service-blade nsvsb1
switch(config-vsb-config)# virtual-service-blade-type new
NetScaler1000V-NEXUS-10.5-52.3_nc.ova
Note: It can take a while to finish OVA extract operation.
Please be patient..
2. Assign VLANs to the virtual interfaces.
The physical interface can be assigned in two modes, the pass-through mode and
the shared mode.
Pass-through mode: In pass-through mode, a physical Ethernet interface is
dedicated to a single virtual interface on the Nexus appliance. All the traffic
received at the Ethernet interface is passed to a single virtual device.
In the following example, VLAN 2 is assigned to data ports ns_intf_1 through
ns_intf_7. VLAN 1, the management VLAN on Nexus 1010/1110, is assigned to
ns_intf_0. The port channel that is used as the Nexus management interface
(PortChannel1 in this example) is assigned to ns_intf_0.
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
interface
interface
interface
interface
interface
interface
interface
interface
ns_intf_0
ns_intf_1
ns_intf_2
ns_intf_3
ns_intf_4
ns_intf_5
ns_intf_6
ns_intf_7
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
1
2
2
2
2
2
2
2
25
Getting Started with NetScaler 1000V
ns_intf_0 is the management port for NetScaler 1000V. You should configure the
data and management interfaces of NetScaler 1000V on Nexus 1010/1110 in
separate VLANs.
Shared mode: In shared mode, a physical Ethernet interface is shared among
different virtual interface on the Nexus appliance. Each virtual device has a VLAN
assigned to it. There are different ways in which the traffic is diverted to a virtual
device:
• When a data-frame arrives at the Ethernet interface with a VLAN tag same as
that of the virtual device VLAN number, the data-frame is passed to that
particular virtual device.
• When a data-frame arrives with no VLAN tag on a physical Ethernet interface ,
the frame is forwarded to all the virtual interfaces sharing the same native
VLAN as the physical interface.
The following example shows the configuration in the shared mode.
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
interface
interface
interface
interface
interface
interface
interface
interface
ns_intf_0
ns_intf_1
ns_intf_2
ns_intf_3
ns_intf_4
ns_intf_5
ns_intf_6
ns_intf_7
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
1
11
12
13
14
15
16
17
3. Assign the physical interface
In the following example for pass-through, only two of the five data ports assigned
to NetScaler 1000V are being used. Therefore, only two interfaces, ns_intf_1 and
ns_intf_2, are bound to physical port Ethernet3 and Ethernet4, respectively, in
pass-through mode.
switch(config-vsb-config)#
PortChannel1
switch(config-vsb-config)#
Ethernet3
switch(config-vsb-config)#
passthrough
switch(config-vsb-config)#
Ethernet4
switch(config-vsb-config)#
passthrough
interface ns_intf_0 uplink
interface ns_intf_1 uplink
interface ns_intf_1 mode
interface ns_intf_2 uplink
interface ns_intf_2 mode
In the pass-through mode, if ports Ethernet3 and Ethernet4 are also being used by
another VSB, the following error message appears:
ERROR: Assigned uplink is a passthrough interface which cannot
be shared.
If this error message appears, release these data ports from that VSB.
26
Getting Started with Citrix NetScaler 1000V
The following example shows the shared mode.
switch(config-vsb-config)# interface ns_intf_1 uplink
Ethernet3
switch(config-vsb-config)# interface ns_intf_2 uplink
Ethernet4
4. Assign uplink physical interfaces to the remaining virtual interfaces of this VSB.
You should assign the management port (PortChannel1 in the above examples) as
the uplink port to the unused data ports (ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6,
and ns_intf_7 in the above examples).
switch(config-vsb-config)#
PortChannel1
switch(config-vsb-config)#
PortChannel1
switch(config-vsb-config)#
PortChannel1
switch(config-vsb-config)#
PortChannel1
switch(config-vsb-config)#
PortChannel1
interface ns_intf_3
uplink
interface ns_intf_4
uplink
interface ns_intf_5
uplink
interface ns_intf_6
uplink
interface ns_intf_7
uplink
5. From the Nexus 1010/1110 command line, disable any unused virtual interfaces of
NetScaler 1000V.
Loops can be created within NetScaler 1000V if multiple interfaces in the
NetScaler 1000V virtual appliance are connected to the same uplink interface on
Nexus.
The commands in the following example disable VsbEthernet1/5, VsbEthernet1/6,
and VsbEthernet1/7, VsbEthernet1/8, VsbEthernet1/9 corresponding to the unused
interfaces ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6, and ns_intf_7 on NetScaler
1000V. After installing the VSB, log on to the VSB, and disable these unused
interfaces.
switch(config-vsb-config)# interface VsbEthernet1/5
switch(config-if)# shut
switch(config-if)# interface VsbEthernet1/6
switch(config-if)# shut
switch(config-if)# interface VsbEthernet1/7
switch(config-if)# shut
switch(config-if)# interface VsbEthernet1/8
switch(config-if)# shut
switch(config-if)# interface VsbEthernet1/9
switch(config-if)# shut
6. Enter basic configuration parameters for NetScaler 1000V. When prompted, select
true for an HA setup, and then specify the IP address and network for the peer
node.
switch(config-vsb-config)# enable
Enter vsb image: [NetScaler1000V-NEXUS-10.5-52.3_nc.ova]
NS HA [true/false]: [true]
27
Getting Started with NetScaler 1000V
Management IP version [V4|V6]: [V4]
Enter Primary IPv4 address: 10.217.205.30
Enter Primary subnet mask: 255.255.252.0
Primary IPv4 address of the default gateway: 10.217.204.1
Enter Secondary IPv4 address: [0.0.0.0] 10.217.205.31
Enter Secondary subnet mask: [0.0.0.0] 255.255.255.0
Enter Secondary IPv4 address of the default gateway:
[0.0.0.0] 10.217.204.1
Enter Primary HostName: ns-primary
Enter Secondary HostName: ns-secondary
Enter the password for 'nsroot': nsroot
----Details entered---NS HA [true/false]: : true
Management IP version [V4|V6]: : V4
Enter Primary IPv4 address: : 10.217.205.30
Enter Primary subnet mask: : 255.255.252.0
Primary IPv4 address of the default gateway: : 10.217.204.1
Enter Secondary IPv4 address: : 10.217.205.31
Enter Secondary subnet mask: : 255.255.252.0
Enter secondary IPv4 address of the default gateway: :
10.217.204.1
Enter Primary HostName: : ns-primary
Enter Secondary HostName: : ns-secondary
Enter the password for 'nsroot': : nsroot
Do you want to continue installation with entered details
(Y/N)? [Y]
Note: VSB installation is in progress, please use show
virtual-service-blade commands to check the installation
status.
Note: VSB installation may take upto 5 minutes.
Verifying NetScaler 1000V Installation in High Availability
Mode
After installing NetScaler 1000V, log on to the Nexus console and verify that the VSB
has installed correctly. Then, verify that you are able to log on to the NetScaler VSB.
1. Use the show command to verify that the VSB has installed correctly.
Following is the output in the pass-through mode:
switch(config-vsb-config)# sh virtual-service-blade name
nsvsb1
virtual-service-blade nsvsb1
Description:
Slot id:
1
Host Name:
nsvsb1
Management IP: 10.217.205.30
VSB Type Name : NetScaler1000V-105523.1
Configured vCPU:
2
Operational vCPU:
2
Configured Ramsize:
2048
Operational Ramsize:
2048
Disksize:
20
Configured CryptoOffload Bandwidth:
0
Operational CryptoOffload Bandwidth:
0
Configured CryptoOffload VF:
0
28
Getting Started with Citrix NetScaler 1000V
Operational CryptoOffload VF:
Heartbeat:
0
68906
Legends:
P - Passthrough
----------------------------------------------------------------------------------Interface
Type
MAC
VLAN
State
Uplink-Interface
Pri
Sec
Oper Adm
----------------------------------------------------------------------------------VsbEthernet1/1
ns_intf_0
0002.3d71.0e82
1
up
up
Po1
Po1
internal
NA
NA
up
VsbEthernet1/3
ns_intf_1
0002.3d71.0e83
11
up
up
Eth3(P)Eth3(P)
VsbEthernet1/4
ns_intf_2
0002.3d71.0e84
12
up
up
Eth4(P)Eth4(P)
VsbEthernet1/5
ns_intf_3 0002.3d71.0e85
13 down down
Po1
Po1
VsbEthernet1/6
ns_intf_4 0002.3d71.0e86
14 down down
Po1
Po1
VsbEthernet1/7
ns_intf_5 0002.3d71.0e87
15 down down
Po1
Po1
VsbEthernet1/8
ns_intf_6 0002.3d71.0e88
16 down down
Po1
Po1
VsbEthernet1/9
ns_intf_7 0002.3d71.0e89
17 down down
Po1
Po1
virtual-service-blade:
HA Role: Primary
HA Status:
ACTIVE
Status:
VSB POWERED ON
Location:
PRIMARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07
HA Role: Secondary
HA Status:
STANDBY
Status:
VSB POWERED ON
Location:
SECONDARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07 7
VSB Info:
Netscaler VPX
Following is the output in the shared mode:
switch(config-vsb-config)# sh virtual-service-blade name
nsvsb1
virtual-service-blade nsvsb1
Description:
Slot id:
1
Host Name:
nsvsb1
Management IP:
10.217.205.30
VSB Type Name : NetScaler1000V-105523.1
29
Getting Started with NetScaler 1000V
Configured vCPU:
2
Operational vCPU:
2
Configured Ramsize:
2048
Operational Ramsize:
2048
Disksize:
20
Configured CryptoOffload Bandwidth:
Operational CryptoOffload Bandwidth:
Configured CryptoOffload VF:
Operational CryptoOffload VF:
Heartbeat:
0
0
0
0
68906
Legends:
P - Passthrough
----------------------------------------------------------------------------------Interface
Type
MAC
VLAN
State
Uplink-Interface
Pri
Sec
Oper Adm
----------------------------------------------------------------------------------VsbEthernet1/1
ns_intf_0
0002.3d71.0e82
1
up
up
Po1
Po1
internal
NA
NA
NA
up
VsbEthernet1/3
ns_intf_1
0002.3d71.0e83
11
up
up
Eth3(P)Eth3(P)
VsbEthernet1/4
ns_intf_2
0002.3d71.0e84
12
up
up
Eth4(P)Eth4(P)
VsbEthernet1/5
ns_intf_3 0002.3d71.0e85
13 down
down
Po1
Po1
VsbEthernet1/6
ns_intf_4 0002.3d71.0e86
14 down
down
Po1
Po1
VsbEthernet1/7
ns_intf_5 0002.3d71.0e87
15 down
down
Po1
Po1
VsbEthernet1/8
ns_intf_6 0002.3d71.0e88
16 down
down
Po1
Po1
VsbEthernet1/9
ns_intf_7 0002.3d71.0e89
17 down
down
Po1
Po1
virtual-service-blade:
HA Role: Primary
HA Status:
ACTIVE
Status:
VSB POWERED ON
Location:
PRIMARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07
HA Role: Secondary
HA Status:
STANDBY
Status:
VSB POWERED ON
Location:
SECONDARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07
VSB Info:
Netscaler VPX
2. Log on to NetScaler 1000V.
30
Getting Started with Citrix NetScaler 1000V
Only one virtual CPU will be shown, because the license is not yet installed on the
VSB.
switch(config-vsb-config)# login virtual-service-blade
nsvsb1
Telnet escape character is '^\'.
Trying 127.1.0.18...
Connected to 127.1.0.18.
Escape character is '^\'.
login: nsroot
Password:
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991,
1992, 1993, 1994
The Regents of the University of California. All
rights reserved.
Done
> sh ver
NetScaler NS10.5: Build 52.3.nc, Date: Sep
22:58:07
Done
> stat cpu
3 2014,
CPU statistics
ID
Usage
1
0
Done
>
3. Verify the configuration of the primary NetScaler 1000V node.
> show node
1)
Node ID:
0
IP:
10.217.205.30 (ns-primary)
Node State: UP
Master State: Primary
Fail-Safe Mode: OFF
INC State: DISABLED
Sync State: ENABLED
Propagation: ENABLED
Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
Disabled Interfaces : None
HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
Interfaces on which heartbeats are not seen : 0/2
1/1 1/2 1/3 1/4 1/5 1/6 1/7
Interfaces causing Partial Failure: None
SSL Card Status: NOT PRESENT
Hello Interval: 200 msecs
Dead Interval: 3 secs
Node in this Master State for: 0:0:8:20
(days:hrs:min:sec)
31
Getting Started with NetScaler 1000V
2)
1/6 1/7
1/6 1/7
Node ID:
1
IP:
10.217.205.31
Node State: UP
Master State: Secondary
Fail-Safe Mode: OFF
INC State: DISABLED
Sync State: SUCCESS
Propagation: ENABLED
Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
Disabled Interfaces : None
HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
Interfaces on which heartbeats are not seen : 0/2
1/1 1/2 1/3 1/4 1/5 1/6 1/7
Interfaces causing Partial Failure: None
SSL Card Status: NOT PRESENT
Local node information:
Critical Interfaces: 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
Done
4. Log on to the primary and secondary NetScaler 1000V appliances, and from the
command line interface disable any unused interfaces on NetScaler 1000V.
In the following example, interfaces 1/3, 1/4, 1/5, 1/6, 1/7 are the same virtual
interfaces ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6, and ns_intf_7 which were
disabled on the Nexus 1010/1110 appliance by using the shut command.
> dis int
interface
interface
interface
interface
interface
Done
1/[3-7]
"1/3" disabled
"1/4" disabled
"1/5" disabled
"1/6" disabled
"1/7" disabled
Installing the License and Verifying the Resources in High
Availability Mode
You can use NetScaler 1000V without a license for 120 days, with throughput limited to
500 Mbps. If you have purchased a license, install it after verifying that NetScaler
1000V has been correctly installed. You can install the license by using the command
line interface (CLI) or the configuration utility (GUI).
To install the license and verify the resources by using the command
line interface
1. Shutdown NetScaler 1000V. At the Nexus 1010/1110 console, type: switch (configvsb-config)# shut.
2. Allocate resources for NetScaler 1000V on Nexus 1010/1110.
32
Getting Started with Citrix NetScaler 1000V
The following example allocates 4 vCPUs and 12288 MB of RAM.
switch (config-vsb-config)# numcpu 4
switch (config-vsb-config)# ramsize 12288
3. Restart NetScaler 1000V. At the Nexus 1010/1110 console, type: switch (configvsb-config)# no shut.
4. Upload the license to the /nsconfig/licence directory on the NetScaler 1000V
appliances in a high availability (HA) setup.
> shell
root@ns# cd /nsconfig/license
Copy the new license file to this directory.
>
5. Restart the virtual appliances.
In an HA setup, first restart the secondary node, and then restart the primary
node.
> reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:Y
Done
>
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991,
1992, 1993, 1994
The Regents of the University of California. All rights
reserved.
Done
>
6. Verify that the resources are allocated according to the license installed.
In the following example, three CPUs are allocated.
> stat cpu
CPU statistics
ID
Usage
3
2
0
1
0
Done>
0
To install the license and verify the resources by using the
configuration utility
Perform the following procedure for each NetScaler 1000V appliance in a high
availability (HA) setup.
1. On the Configuration tab, navigate to System > Licenses.
33
Getting Started with NetScaler 1000V
2. In the details pane, click Manage Licenses.
3. Click Update Licenses.
4. Click Browse. Navigate to the location of the license files, select the license file,
and then click Open.
5. Click Reboot to apply the license.
6. In the Reboot dialog box, click OK to proceed with the changes, or click Close to
cancel the changes.
7. In a web browser, type the IP address of the NetScaler 1000V virtual appliance.
8. In User Name and Password, type the administrator credentials.
9. On the Dashboard tab, click the arrow next to System Overview and select CPU.
Verify that the resources are allocated according to the license installed.
Installing NetScaler 1000V in Standalone Mode
You can install a NetScaler 1000V virtual appliance in standalone mode on a standalone
Nexus 1010/1110 appliance, or on either the primary or secondary appliance in a high
availability pair. After deploying the VSB and assigning resources to it, verify that
installation was successful and the configuration is as you intended.
If you have not purchased a license, the trial usage period begins with installation. If
you have purchased a license, install it and then verify that resources are correctly
allocated.
The following topics describe the installation tasks:
1. Installing NetScaler 1000V as a Standalone VSB on page 34
2. Verifying NetScaler 1000V Installation on page 38
3. Installing the License and Verifying the Resources on page 41
Installing NetScaler 1000V as a Standalone VSB
1. Deploy NetScaler 1000V.
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/
Z.
switch(config)# virtual-service-blade nsvsb1
switch(config-vsb-config)# virtual-service-blade-type new
NetScaler1000V-NEXUS-10.5-52.3_nc.ova
Note: It can take a while to finish OVA extract operation.
Please be patient..
2. Assign VLANs to the virtual interfaces.
The physical interface can be assigned in two modes, the pass-through mode and
the shared mode.
34
Getting Started with Citrix NetScaler 1000V
Pass-through mode: In pass-through mode, a physical Ethernet interface is
dedicated to a single virtual interface on the Nexus appliance. All the traffic
received at the Ethernet interface is passed to a single virtual device.
In the following example, VLAN 2 is assigned to data ports ns_intf_1 through
ns_intf_7. VLAN 1, the management VLAN on Nexus 1010/1110, is assigned to
ns_intf_0. The port channel that is used as the Nexus management interface
(PortChannel1 in this example) is assigned to ns_intf_0.
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
interface
interface
interface
interface
interface
interface
interface
interface
ns_intf_0
ns_intf_1
ns_intf_2
ns_intf_3
ns_intf_4
ns_intf_5
ns_intf_6
ns_intf_7
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
1
2
2
2
2
2
2
2
ns_intf_0 is the management port for NetScaler 1000V. You should configure the
data and management interfaces of NetScaler 1000V on Nexus 1010/1110 in
separate VLANs.
Shared mode: In shared mode, a physical Ethernet interface is shared among
different virtual interface on the Nexus appliance. Each virtual device has a VLAN
assigned to it. There are different ways in which the traffic is diverted to a virtual
device:
• When a data-frame arrives at the Ethernet interface with a VLAN tag same as
that of the virtual device VLAN number, the data-frame is passed to that
particular virtual device.
• When a data-frame arrives with no VLAN tag on a physical Ethernet interface ,
the frame is forwarded to all the virtual interfaces sharing the same native
VLAN as the physical interface.
The following example shows the configuration in the shared mode.
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
interface
interface
interface
interface
interface
interface
interface
interface
ns_intf_0
ns_intf_1
ns_intf_2
ns_intf_3
ns_intf_4
ns_intf_5
ns_intf_6
ns_intf_7
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
1
11
12
13
14
15
16
17
3. Assign the physical interface
In the following example for pass-through, only two of the five data ports assigned
to NetScaler 1000V are being used. Therefore, only two interfaces, ns_intf_1 and
ns_intf_2, are bound to physical port Ethernet3 and Ethernet4, respectively, in
pass-through mode.
switch(config-vsb-config)# interface ns_intf_0 uplink
PortChannel1
35
Getting Started with NetScaler 1000V
switch(config-vsb-config)#
Ethernet3
switch(config-vsb-config)#
passthrough
switch(config-vsb-config)#
Ethernet4
switch(config-vsb-config)#
passthrough
interface ns_intf_1 uplink
interface ns_intf_1 mode
interface ns_intf_2 uplink
interface ns_intf_2 mode
In the pass-through mode, if ports Ethernet3 and Ethernet4 are also being used by
another VSB, the following error message appears:
ERROR: Assigned uplink is a passthrough interface which cannot
be shared.
If this error message appears, release these data ports from that VSB.
The following example shows the shared mode.
switch(config-vsb-config)# interface ns_intf_1 uplink
Ethernet3
switch(config-vsb-config)# interface ns_intf_2 uplink
Ethernet4
4. Assign uplink physical interfaces to the remaining virtual interfaces of this VSB.
You should assign the management port (PortChannel1 in the above examples) as
the uplink port to the unused data ports (ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6,
and ns_intf_7 in the above examples).
switch(config-vsb-config)#
PortChannel1
switch(config-vsb-config)#
PortChannel1
switch(config-vsb-config)#
PortChannel1
switch(config-vsb-config)#
PortChannel1
switch(config-vsb-config)#
PortChannel1
interface ns_intf_3
uplink
interface ns_intf_4
uplink
interface ns_intf_5
uplink
interface ns_intf_6
uplink
interface ns_intf_7
uplink
5. From the Nexus 1010/1110 command line, disable any unused virtual interfaces of
NetScaler 1000V.
Loops can be created within NetScaler 1000V if multiple interfaces in the
NetScaler 1000V virtual appliance are connected to the same uplink interface on
Nexus.
The commands in the following example disable VsbEthernet1/5, VsbEthernet1/6,
and VsbEthernet1/7, VsbEthernet1/8, VsbEthernet1/9 corresponding to the unused
interfaces ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6, and ns_intf_7 on NetScaler
1000V. After installing the VSB, log on to the VSB, and disable these unused
interfaces.
switch(config-vsb-config)# interface VsbEthernet1/5
switch(config-if)# shut
36
Getting Started with Citrix NetScaler 1000V
switch(config-if)#
switch(config-if)#
switch(config-if)#
switch(config-if)#
switch(config-if)#
switch(config-if)#
switch(config-if)#
switch(config-if)#
interface
shut
interface
shut
interface
shut
interface
shut
VsbEthernet1/6
VsbEthernet1/7
VsbEthernet1/8
VsbEthernet1/9
6. Enter basic configuration parameters for NetScaler 1000V.
• If the VSB is installed in standalone mode on a primary Nexus appliance, use the
enable primary command.
• If the VSB is installed in standalone mode on a secondary Nexus appliance, use
the enable secondary command.
• If the VSB is installed in standalone mode on a standalone Nexus appliance, use
the enable command.
Specify HA as false.
The following example uses the enable primary command with HA as false,
because NetScaler 1000V is being installed in standalone mode on a primary Nexus
appliance.
switch(config-vsb-config)# enable primary
Enter vsb image: [NetScaler1000V-NEXUS-10.5-52.3_nc.ova]
NS HA [true/false]: [true] false
Management IP version [V4|V6]: [V4]
Enter Primary IPv4 address: 10.217.205.45
Enter Primary subnet mask: 255.255.252.0
Primary IPv4 address of the default gateway: 10.217.204.1
Enter Secondary IPv4 address: [0.0.0.0]
Enter Secondary subnet mask: [0.0.0.0]
Enter Secondary IPv4 address of the default gateway:
[0.0.0.0]
Enter Primary HostName: nsvsb1
Enter the password for 'nsroot': nsroot
----Details entered---NS HA [true/false]: : false
Management IP version [V4|V6]: : V4
Enter Primary IPv4 address: : 10.217.205.45
Enter Primary subnet mask: : 255.255.252.0
Primary IPv4 address of the default gateway: : 10.217.204.1
Enter Secondary IPv4 address: : 0.0.0.0
Enter Secondary subnet mask: : 0.0.0.0
Enter secondary IPv4 address of the default gateway: :
0.0.0.0
Enter Primary HostName: : nsvsb1
Enter the password for 'nsroot': : nsroot
Do you want to continue installation with entered details
(Y/N)? [Y]
Note: VSB installation is in progress, please use show
virtual-service-blade commands to check the installation
status.
Note: VSB installation may take upto 5 minutes.
37
Getting Started with NetScaler 1000V
Verifying NetScaler 1000V Installation
After installing NetScaler 1000V, log on to the Nexus console and verify that the VSB
has installed correctly. Then, verify that you are able to log on to the NetScaler VSB.
1. Use the show command to verify that the VSB has installed correctly.
Following is the example of output in the pass-through mode:
switch(config-vsb-config)# sh virtual-service-blade name
nsvsb1
virtual-service-blade nsvsb1
Description:
Slot id:
1
Host Name: nsvsb1
Management IP: 10.217.205.45
VSB Type Name : NetScaler1000V-105523.1
Configured vCPU:
2
Operational vCPU:
2
Configured Ramsize:
2048
Operational Ramsize:
2048
Disksize:
20
Heartbeat:
96
Legends:
P - Passthrough08
----------------------------------------------------------------------------------Interface
Type
MAC
VLAN
State
Uplink-Interface
PriSec- Oper Adm
mary
ondary
----------------------------------------------------------------------------------VsbEthernet1/1
ns_intf_0
0002.3d70.fc02
1
up up
Po1
Po1
internal
NA
NA
NA
up
VsbEthernet1/3
ns_intf_1
0002.3d70.fc03
11
up
up
Eth3(P) Eth3(P)
VsbEthernet1/4
ns_intf_2
0002.3d71.fc04
12
up
up
Eth4(P) Eth4(P)
VsbEthernet1/5
ns_intf_3
0002.3d71.fc05
13
down
down
Po1
Po1
VsbEthernet1/6
ns_intf_4
0002.3d71.fc06
14
down
down
Po1
Po1
VsbEthernet1/7
ns_intf_5
0002.3d71.fc07
15
down
down
Po1
Po1
VsbEthernet1/8
ns_intf_6
0002.3d71.fc08
16
down
down
Po1
Po1
VsbEthernet1/9
ns_intf_7
0002.3d71.fc09
17
down
down
Po1
Po1
HA Role: Primary
HA Status: STANDBY
Status:
VSB POWERED ON
Location:
PRIMARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
38
Getting Started with Citrix NetScaler 1000V
Sep 3 2014, 22:58:07
HA Role: Secondary
HA Status: NONE
Status:
VSB NOT PRESENT
Location:
SECONDARY
SW version:
VSB Info:
NetScaler VPX
Following is the example of output in the shared mode:
switch(config-vsb-config)# sh virtual-service-blade name
nsvsb1
virtual-service-blade nsvsb1
Description:
Slot id:
1
Host Name: nsvsb1
Management IP: 10.217.205.45
VSB Type Name : NetScaler1000V-105523.1
Configured vCPU:
2
Operational vCPU:
2
Configured Ramsize:
2048
Operational Ramsize:
2048
Disksize:
20
Heartbeat:
96
Legends:
P - Passthrough08
----------------------------------------------------------------------------------Interface
Type
MAC
VLAN
State
Uplink-Interface
PriSec- Oper Adm
mary
ondary
----------------------------------------------------------------------------------VsbEthernet1/1
ns_intf_0
0002.3d70.fc02
1
up up
Po1
Po1
internal
NA
NA
NA
up
VsbEthernet1/3
ns_intf_1
0002.3d70.fc03
11
up
up
Eth1
Eth1
VsbEthernet1/4
ns_intf_2
0002.3d71.fc04
12
up
up
Eth2
Eth2
VsbEthernet1/5
ns_intf_3
0002.3d71.fc05
13
down
down
Po1
Po1
VsbEthernet1/6
ns_intf_4
0002.3d71.fc06
14
down
down
Po1
Po1
VsbEthernet1/7
ns_intf_5
0002.3d71.fc07
15
down
down
Po1
Po1
VsbEthernet1/8
ns_intf_6
0002.3d71.fc08
16
down
down
Po1
Po1
VsbEthernet1/9
ns_intf_7
0002.3d71.fc09
17
down
down
Po1
Po1
HA Role: Primary
HA Status: STANDBY
Status:
VSB POWERED ON
39
Getting Started with NetScaler 1000V
Location:
PRIMARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07
HA Role: Secondary
HA Status: NONE
Status:
VSB NOT PRESENT
Location:
SECONDARY
SW version:
VSB Info:
NetScaler VPX
2. Log on to NetScaler 1000V.
Only one virtual CPU will be shown, because the license is not yet installed on the
VSB.
switch(config-vsb-config)# login virtual-service-blade
nsvsb1
Telnet escape character is '^\'.
Trying 127.1.0.18...
Connected to 127.1.0.18.
Escape character is '^\'.
login: nsroot
Password:
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991,
1992, 1993, 1994
The Regents of the University of California. All
rights reserved.
Done
> sh ver
NetScaler NS10.5: Build 52.3.nc, Date: Sep
22:58:07
Done
> stat cpu
3 2014,
CPU statistics
ID
Usage
1
0
Done
>
3. Verify the configuration of the NetScaler 1000V node.
> show node
1)
Node ID:
0
IP:
10.217.205.45 (vpx)
Node State: UP
Master State: Primary
Fail-Safe Mode: OFF
Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
Disabled Interfaces : None
40
Getting Started with Citrix NetScaler 1000V
SSL Card Status: NOT PRESENT
Hello Interval: 200 msecs
Dead Interval: 3 secs
Node in this Master State for: 0:0:8:20
(days:hrs:min:sec)
Local node information:
Critical Interfaces: 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
Done
4. From the NetScaler command line interface, disable any unused interfaces on the
NetScaler VSB.
In the following example, interfaces 1/3, 1/4, 1/5, 1/6, and 1/7 are the same
virtual interfaces (ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6, and ns_intf7) that
were disabled on the Nexus 1010/1110 appliance by using the shut command.
> dis int
interface
interface
interface
interface
interface
Done
1/[3-7]
"1/3" disabled
"1/4" disabled
"1/5" disabled
"1/6" disabled
"1/7" disabled
Installing the License and Verifying the Resources
You can use NetScaler 1000V without a license for 120 days, with throughput limited to
500 Mbps. The trial usage period begins with installation. If you have purchased a
license, install it after verifying that NetScaler 1000V has been correctly installed. You
can install the license by using the command line interface (CLI) or the configuration
utility (GUI).
To install the license and verify the resources by using the command
line interface
1. Shutdown the NetScaler 1000V appliance. At the Nexus 1010/1110 console, type:
switch (config-vsb-config)# shut.
2. Allocate resources for NetScaler 1000V on Nexus 1010/1110.
The following example allocates 4 vCPUs and 12288 MB of RAM.
switch (config-vsb-config)# numcpu 4
switch (config-vsb-config)# ramsize 12288
3. Restart the NetScaler 1000V appliance. At the Nexus 1010/1110 console, type:
switch (config-vsb-config)# no shut.
4. Upload the license to the /nsconfig/licence directory on NetScaler 1000V.
> shell
root@ns# cd /nsconfig/license
Copy the new license file to this directory.
>
41
Getting Started with NetScaler 1000V
5. Restart the virtual appliance.
> reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:Y
Done
>
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991,
1992, 1993, 1994
The Regents of the University of California. All rights
reserved.
Done
>
6. Verify that the resources are allocated according to the license installed.
In the following example, three CPUs are allocated.
> stat cpu
CPU statistics
ID
Usage
3
2
0
1
0
Done>
0
To install the license and verify the resources by using the
configuration utility
1. On the Configuration tab, navigate to System > Licenses.
2. In the details pane, click Manage Licenses.
3. Click Update Licenses.
4. Click Browse. Navigate to the location of the license files, select the license file,
and then click Open.
5. Click Reboot to apply the license.
6. In the Reboot dialog box, click OK to proceed with the changes, or click Close to
cancel the changes.
7. In a web browser, type the IP address of the NetScaler 1000V virtual appliance.
8. In User Name and Password, type the administrator credentials.
9. On the Dashboard tab, click the arrow next to System Overview and select CPU.
Verify that the resources are allocated according to the license installed.
Replacing a Nexus Node in a High Availability Setup
A Nexus 1010/1110 appliance has primary and secondary roles and active and standby
states. If one of the nodes in a high availability setup fails and you replace it, the
42
Getting Started with Citrix NetScaler 1000V
installation procedure is the same for either a primary or a secondary node, but the
configuration procedure is not.
1. Deploy NetScaler 1000V.
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/
Z.
switch(config)# virtual-service-blade nsvsb1
switch(config-vsb-config)# virtual-service-blade-type new
NetScaler1000V-NEXUS-10.5-52.3_nc.ova
Note: It can take a while to finish OVA extract operation.
Please be patient..
2. Assign VLANs to the virtual interfaces.
The physical interface can be assigned in two modes, the pass-through mode and
the shared mode.
Pass-through mode: In pass-through mode, a physical Ethernet interface is
dedicated to a single virtual interface on the Nexus appliance. All the traffic
received at the Ethernet interface is passed to a single virtual device.
In the following example, VLAN 2 is assigned to data ports ns_intf_1 through
ns_intf_7. VLAN 1, the management VLAN on Nexus 1010/1110, is assigned to
ns_intf_0. The port channel that is used as the Nexus management interface
(PortChannel1 in this example) is assigned to ns_intf_0.
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
interface
interface
interface
interface
interface
interface
interface
interface
ns_intf_0
ns_intf_1
ns_intf_2
ns_intf_3
ns_intf_4
ns_intf_5
ns_intf_6
ns_intf_7
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
1
2
2
2
2
2
2
2
ns_intf_0 is the management port for NetScaler 1000V. You should configure the
data and management interfaces of NetScaler 1000V on Nexus 1010/1110 in
separate VLANs.
Shared mode: In shared mode, a physical Ethernet interface is shared among
different virtual interface on the Nexus appliance. Each virtual device has a VLAN
assigned to it. There are different ways in which the traffic is diverted to a virtual
device:
• When a data-frame arrives at the Ethernet interface with a VLAN tag same as
that of the virtual device VLAN number, the data-frame is passed to that
particular virtual device.
• When a data-frame arrives with no VLAN tag on a physical Ethernet interface ,
the frame is forwarded to all the virtual interfaces sharing the same native
VLAN as the physical interface.
43
Getting Started with NetScaler 1000V
The following example shows the configuration in the shared mode.
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
switch(config-vsb-config)#
interface
interface
interface
interface
interface
interface
interface
interface
ns_intf_0
ns_intf_1
ns_intf_2
ns_intf_3
ns_intf_4
ns_intf_5
ns_intf_6
ns_intf_7
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
1
11
12
13
14
15
16
17
3. Assign the physical interface
In the following example for pass-through, only two of the five data ports assigned
to NetScaler 1000V are being used. Therefore, only two interfaces, ns_intf_1 and
ns_intf_2, are bound to physical port Ethernet3 and Ethernet4, respectively, in
pass-through mode.
switch(config-vsb-config)#
PortChannel1
switch(config-vsb-config)#
Ethernet3
switch(config-vsb-config)#
passthrough
switch(config-vsb-config)#
Ethernet4
switch(config-vsb-config)#
passthrough
interface ns_intf_0 uplink
interface ns_intf_1 uplink
interface ns_intf_1 mode
interface ns_intf_2 uplink
interface ns_intf_2 mode
In the pass-through mode, if ports Ethernet3 and Ethernet4 are also being used by
another VSB, the following error message appears:
ERROR: Assigned uplink is a passthrough interface which cannot
be shared.
If this error message appears, release these data ports from that VSB.
The following example shows the shared mode.
switch(config-vsb-config)# interface ns_intf_1 uplink
Ethernet3
switch(config-vsb-config)# interface ns_intf_2 uplink
Ethernet4
4. Assign uplink physical interfaces to the remaining virtual interfaces of this VSB.
You should assign the management port (PortChannel1 in the above examples) as
the uplink port to the unused data ports (ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6,
and ns_intf_7 in the above examples).
switch(config-vsb-config)# interface ns_intf_3
PortChannel1
switch(config-vsb-config)# interface ns_intf_4
PortChannel1
switch(config-vsb-config)# interface ns_intf_5
PortChannel1
44
uplink
uplink
uplink
Getting Started with Citrix NetScaler 1000V
switch(config-vsb-config)# interface ns_intf_6
PortChannel1
switch(config-vsb-config)# interface ns_intf_7
PortChannel1
uplink
uplink
5. From the Nexus 1010/1110 command line, disable any unused virtual interfaces of
NetScaler 1000V.
Loops can be created within NetScaler 1000V if multiple interfaces in the
NetScaler 1000V virtual appliance are connected to the same uplink interface on
Nexus.
The commands in the following example disable VsbEthernet1/5, VsbEthernet1/6,
and VsbEthernet1/7, VsbEthernet1/8, VsbEthernet1/9 corresponding to the unused
interfaces ns_intf_3, ns_intf_4, ns_intf_5, ns_intf_6, and ns_intf_7 on NetScaler
1000V. After installing the VSB, log on to the VSB, and disable these unused
interfaces.
switch(config-vsb-config)# interface VsbEthernet1/5
switch(config-if)# shut
switch(config-if)# interface VsbEthernet1/6
switch(config-if)# shut
switch(config-if)# interface VsbEthernet1/7
switch(config-if)# shut
switch(config-if)# interface VsbEthernet1/8
switch(config-if)# shut
switch(config-if)# interface VsbEthernet1/9
switch(config-if)# shut
6. Perform one of the following procedures, as appropriate:
• Configuring a replacement primary Nexus node
• Configuring a replacement secondary Nexus node
Configuring a Replacement Primary Nexus Node
If the primary Nexus node goes down, the secondary Nexus node becomes active. If you
replace the failed primary node, you must synchronize the configuration of the
NetScaler 1000V VSB on the secondary Nexus node to the NetScaler 1000V VSB on the
new primary Nexus node.
1. Enter enable primary.
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/
Z.
switch(config)# virtual-service-blade nsvsb1
switch (config-vsb-config)# virtual-service-blade-type new
NetScaler1000V-NEXUS-10.5-52.3_nc.ova
Note: It can take awhile to finish OVA extract operation.
Please be patient..
switch (config-vsb-config)# enable primary
Enter vsb image: [NetScaler1000V-NEXUS-10.5-52.3_nc.ova]
NS HA [true/false]: [true]
Management IP version [V4|V6]: [V4]
Enter Primary IPv4 address: 10.217.205.30
45
Getting Started with NetScaler 1000V
Enter Primary subnet mask: 255.255.252.0
Primary IPv4 address of the default gateway: 10.217.204.1
Enter Secondary IPv4 address: [0.0.0.0] 10.217.205.31
Enter Secondary subnet mask: [0.0.0.0] 255.255.252.0
Enter secondary IPv4 address of the default gateway:
[0.0.0.0] 10.217.204.1
Enter Primary HostName: ns-primary
Enter Secondary HostName: ns-secondary
Enter the password for 'nsroot': nsroot
----Details entered---NS HA [true/false]: : true
Management IP version [V4|V6]: : V4
Enter Primary IPv4 address: : 10.217.205.30
Enter Primary subnet mask: : 255.255.252.0
Primary IPv4 address of the default gateway: : 10.217.204.1
Enter Secondary IPv4 address: : 10.217.205.31
Enter Secondary subnet mask: : 255.255.252.0
Enter secondary IPv4 address of the default gateway: :
10.217.204.1
Enter Primary HostName: : ns-primary
Enter Secondary HostName: : ns-secondary
Enter the password for 'nsroot': : nsroot
Do you want to continue installation with entered details
(Y/N)? [Y]
Note: VSB installation is in progress, please use show
virtual-service-blade commands to check the installation
status.
Note: VSB installation may take upto 5 minutes.
2. Use the show command to verify that the VSB has installed correctly.
Following is the output in the pass-through mode:
switch(config-vsb-config)# sh virtual-service-blade name
nsvsb1
virtual-service-blade nsvsb1
Description:
Slot id:
1
Host Name:
nsvsb1
Management IP: 10.217.205.30
VSB Type Name : NetScaler1000V-105523.1
Configured vCPU:
2
Operational vCPU:
2
Configured Ramsize:
2048
Operational Ramsize:
2048
Disksize:
20
Configured CryptoOffload Bandwidth:
0
Operational CryptoOffload Bandwidth:
0
Configured CryptoOffload VF:
0
Operational CryptoOffload VF:
0
Heartbeat:
68906
Legends:
P - Passthrough
----------------------------------------------------------------------------------Interface
Type
MAC
VLAN
State
Uplink-Interface
46
Getting Started with Citrix NetScaler 1000V
Pri
Sec
Oper Adm
----------------------------------------------------------------------------------VsbEthernet1/1
ns_intf_0
0002.3d71.0e82
1
up
up
Po1
Po1
internal
NA
NA
up
VsbEthernet1/3
ns_intf_1
0002.3d71.0e83
11
up
up
Eth3(P)Eth3(P)
VsbEthernet1/4
ns_intf_2
0002.3d71.0e84
12
up
up
Eth4(P)Eth4(P)
VsbEthernet1/5
ns_intf_3 0002.3d71.0e85
13 down down
Po1
Po1
VsbEthernet1/6
ns_intf_4 0002.3d71.0e86
14 down down
Po1
Po1
VsbEthernet1/7
ns_intf_5 0002.3d71.0e87
15 down down
Po1
Po1
VsbEthernet1/8
ns_intf_6 0002.3d71.0e88
16 down down
Po1
Po1
VsbEthernet1/9
ns_intf_7 0002.3d71.0e89
17 down down
Po1
Po1
virtual-service-blade:
HA Role: Primary
HA Status:
ACTIVE
Status:
VSB POWERED ON
Location:
PRIMARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07
HA Role: Secondary
HA Status:
STANDBY
Status:
VSB POWERED ON
Location:
SECONDARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07 7
VSB Info:
Netscaler VPX
Following is the output in the shared mode:
switch(config-vsb-config)# sh virtual-service-blade name
nsvsb1
virtual-service-blade nsvsb1
Description:
Slot id:
1
Host Name:
nsvsb1
Management IP:
10.217.205.30
VSB Type Name : NetScaler1000V-105523.1
Configured vCPU:
2
Operational vCPU:
2
Configured Ramsize:
2048
Operational Ramsize:
2048
Disksize:
20
Configured CryptoOffload Bandwidth:
0
Operational CryptoOffload Bandwidth:
0
Configured CryptoOffload VF:
0
Operational CryptoOffload VF:
0
47
Getting Started with NetScaler 1000V
Heartbeat:
68906
Legends:
P - Passthrough
----------------------------------------------------------------------------------Interface
Type
MAC
VLAN
State
Uplink-Interface
Pri
Sec
Oper Adm
----------------------------------------------------------------------------------VsbEthernet1/1
ns_intf_0
0002.3d71.0e82
1
up
up
Po1
Po1
internal
NA
NA
NA
up
VsbEthernet1/3
ns_intf_1
0002.3d71.0e83
11
up
up
Eth3(P)Eth3(P)
VsbEthernet1/4
ns_intf_2
0002.3d71.0e84
12
up
up
Eth4(P)Eth4(P)
VsbEthernet1/5
ns_intf_3 0002.3d71.0e85
13 down
down
Po1
Po1
VsbEthernet1/6
ns_intf_4 0002.3d71.0e86
14 down
down
Po1
Po1
VsbEthernet1/7
ns_intf_5 0002.3d71.0e87
15 down
down
Po1
Po1
VsbEthernet1/8
ns_intf_6 0002.3d71.0e88
16 down
down
Po1
Po1
VsbEthernet1/9
ns_intf_7 0002.3d71.0e89
17 down
down
Po1
Po1
virtual-service-blade:
HA Role: Primary
HA Status:
ACTIVE
Status:
VSB POWERED ON
Location:
PRIMARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07
HA Role: Secondary
HA Status:
STANDBY
Status:
VSB POWERED ON
Location:
SECONDARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07
VSB Info:
Netscaler VPX
3. Log on to NetScaler 1000V.
Only one virtual CPU will be shown, because the license is not yet installed on the
VSB.
switch(config-vsb-config)# login virtual-service-blade
nsvsb1
Telnet escape character is '^\'.
Trying 127.1.0.18...
Connected to 127.1.0.18.
Escape character is '^\'.
48
Getting Started with Citrix NetScaler 1000V
login: nsroot
Password:
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991,
1992, 1993, 1994
The Regents of the University of California. All
rights reserved.
Done
> sh ver
NetScaler NS10.5: Build 52.3.nc, Date: Sep
22:58:07
Done
> stat cpu
3 2014,
CPU statistics
ID
Usage
1
0
Done
>
4. Verify the configuration of the primary NetScaler 1000V node.
> show node
1)
Node ID:
0
IP:
10.217.205.30 (ns-primary)
Node State: UP
Master State: Primary
Fail-Safe Mode: OFF
INC State: DISABLED
Sync State: ENABLED
Propagation: ENABLED
Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
Disabled Interfaces : None
HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
Interfaces on which heartbeats are not seen : 0/2
1/1 1/2 1/3 1/4 1/5 1/6 1/7
Interfaces causing Partial Failure: None
SSL Card Status: NOT PRESENT
Hello Interval: 200 msecs
Dead Interval: 3 secs
Node in this Master State for: 0:0:8:20
(days:hrs:min:sec)
2)
Node ID:
1
IP:
10.217.205.31
Node State: UP
Master State: Secondary
Fail-Safe Mode: OFF
INC State: DISABLED
Sync State: SUCCESS
Propagation: ENABLED
Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
49
Getting Started with NetScaler 1000V
1/6 1/7
Disabled Interfaces : None
HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
Interfaces on which heartbeats are not seen : 0/2
1/1 1/2 1/3 1/4 1/5 1/6 1/7
Interfaces causing Partial Failure: None
SSL Card Status: NOT PRESENT
Local node information:
Critical Interfaces: 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
Done
5. Shutdown NetScaler 1000V. At the Nexus 1010/1110 console, type: switch (configvsb-config)# shut.
6. Allocate resources for NetScaler 1000V on Nexus 1010/1110.
The following example allocates 4 vCPUs and 12288 MB of RAM.
switch (config-vsb-config)# numcpu 4
switch (config-vsb-config)# ramsize 12288
7. Restart NetScaler 1000V. At the Nexus 1010/1110 console, type: switch (configvsb-config)# no shut.
8. Upload the license to the /nsconfig/licence directory on NetScaler 1000V.
> shell
root@ns# cd /nsconfig/license
Copy the new license file to this directory.
>
9. Restart the virtual appliance.
> reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:Y
Done
>
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991,
1992, 1993, 1994
The Regents of the University of California. All rights
reserved.
Done
>
10. Verify that the resources are allocated according to the license installed.
In the following example, three CPUs are allocated.
> stat cpu
CPU statistics
ID
Usage
3
50
0
Getting Started with Citrix NetScaler 1000V
2
1
Done>
0
0
Configuring a Replacement Secondary Nexus Node
If you replace a failed secondary node, you must synchronize the configuration of the
NetScaler 1000V VSB on the primary Nexus node to the new secondary Nexus node.
1. Enter enable secondary.
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/
Z.
switch(config)# virtual-service-blade nsvsb1
switch (config-vsb-config)# virtual-service-blade-type new
NetScaler1000V-NEXUS-10.5-52.3_nc.ova
Note: Note: It can take awhile to finish OVA extract
operation. Please be patient..
switch (config-vsb-config)# enable secondary
Enter vsb image: [NetScaler1000V-NEXUS-10.5-52.3_nc.ova]
NS HA [true/false]: [true]
Management IP version [V4|V6]: [V4]
Enter Primary IPv4 address: 10.217.205.30
Enter Primary subnet mask: 255.255.252.0
Primary IPv4 address of the default gateway: 10.217.204.1
Enter Secondary IPv4 address: [0.0.0.0] 10.217.205.31
Enter Secondary subnet mask: [0.0.0.0] 255.255.252.0
Enter secondary IPv4 address of the default gateway:
[0.0.0.0] 10.217.204.1
Enter Primary HostName: ns-primary
Enter Secondary HostName: ns-secondary
Enter the password for 'nsroot': nsroot
----Details entered---NS HA [true/false]: : true
Management IP version [V4|V6]: : V4
Enter Primary IPv4 address: : 10.217.205.30
Enter Primary subnet mask: : 255.255.252.0
Primary IPv4 address of the default gateway: : 10.217.204.1
Enter Secondary IPv4 address: : 10.217.205.31
Enter Secondary subnet mask: : 255.255.252.0
Enter secondary IPv4 address of the default gateway: :
10.217.204.1
Enter Primary HostName: : ns-primary
Enter Secondary HostName: : ns-secondary
Enter the password for 'nsroot': : nsroot
Do you want to continue installation with entered details
(Y/N)? [Y]
Note: VSB installation is in progress, please use show
virtual-service-blade commands to check the installation
status.
Note: VSB installation may take upto 5 minutes.
2. Use the show command to verify that the VSB has installed correctly.
51
Getting Started with NetScaler 1000V
Following is the output in the pass-through mode:
switch(config-vsb-config)# sh virtual-service-blade name
nsvsb1
virtual-service-blade nsvsb1
Description:
Slot id:
1
Host Name:
nsvsb1
Management IP: 10.217.205.30
VSB Type Name : NetScaler1000V-105523.1
Configured vCPU:
2
Operational vCPU:
2
Configured Ramsize:
2048
Operational Ramsize:
2048
Disksize:
20
Configured CryptoOffload Bandwidth:
0
Operational CryptoOffload Bandwidth:
0
Configured CryptoOffload VF:
0
Operational CryptoOffload VF:
0
Heartbeat:
68906
Legends:
P - Passthrough
----------------------------------------------------------------------------------Interface
Type
MAC
VLAN
State
Uplink-Interface
Pri
Sec
Oper Adm
----------------------------------------------------------------------------------VsbEthernet1/1
ns_intf_0
0002.3d71.0e82
1
up
up
Po1
Po1
internal
NA
NA
up
VsbEthernet1/3
ns_intf_1
0002.3d71.0e83
11
up
up
Eth3(P)Eth3(P)
VsbEthernet1/4
ns_intf_2
0002.3d71.0e84
12
up
up
Eth4(P)Eth4(P)
VsbEthernet1/5
ns_intf_3 0002.3d71.0e85
13 down down
Po1
Po1
VsbEthernet1/6
ns_intf_4 0002.3d71.0e86
14 down down
Po1
Po1
VsbEthernet1/7
ns_intf_5 0002.3d71.0e87
15 down down
Po1
Po1
VsbEthernet1/8
ns_intf_6 0002.3d71.0e88
16 down down
Po1
Po1
VsbEthernet1/9
ns_intf_7 0002.3d71.0e89
17 down down
Po1
Po1
virtual-service-blade:
HA Role: Primary
HA Status:
ACTIVE
Status:
VSB POWERED ON
Location:
PRIMARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07
52
Getting Started with Citrix NetScaler 1000V
HA Role: Secondary
HA Status:
STANDBY
Status:
VSB POWERED ON
Location:
SECONDARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07 7
VSB Info:
Netscaler VPX
Following is the output in the shared mode:
switch(config-vsb-config)# sh virtual-service-blade name
nsvsb1
virtual-service-blade nsvsb1
Description:
Slot id:
1
Host Name:
nsvsb1
Management IP:
10.217.205.30
VSB Type Name : NetScaler1000V-105523.1
Configured vCPU:
2
Operational vCPU:
2
Configured Ramsize:
2048
Operational Ramsize:
2048
Disksize:
20
Configured CryptoOffload Bandwidth:
0
Operational CryptoOffload Bandwidth:
0
Configured CryptoOffload VF:
0
Operational CryptoOffload VF:
0
Heartbeat:
68906
Legends:
P - Passthrough
----------------------------------------------------------------------------------Interface
Type
MAC
VLAN
State
Uplink-Interface
Pri
Sec
Oper Adm
----------------------------------------------------------------------------------VsbEthernet1/1
ns_intf_0
0002.3d71.0e82
1
up
up
Po1
Po1
internal
NA
NA
NA
up
VsbEthernet1/3
ns_intf_1
0002.3d71.0e83
11
up
up
Eth3(P)Eth3(P)
VsbEthernet1/4
ns_intf_2
0002.3d71.0e84
12
up
up
Eth4(P)Eth4(P)
VsbEthernet1/5
ns_intf_3 0002.3d71.0e85
13 down
down
Po1
Po1
VsbEthernet1/6
ns_intf_4 0002.3d71.0e86
14 down
down
Po1
Po1
VsbEthernet1/7
ns_intf_5 0002.3d71.0e87
15 down
down
Po1
Po1
VsbEthernet1/8
ns_intf_6 0002.3d71.0e88
16 down
down
Po1
Po1
VsbEthernet1/9
ns_intf_7 0002.3d71.0e89
17 down
down
Po1
Po1
53
Getting Started with NetScaler 1000V
virtual-service-blade:
HA Role: Primary
HA Status:
ACTIVE
Status:
VSB POWERED ON
Location:
PRIMARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07
HA Role: Secondary
HA Status:
STANDBY
Status:
VSB POWERED ON
Location:
SECONDARY
SW version:
NetScaler NS10.5: Build 52.3.nc, Date:
Sep 3 2014, 22:58:07
VSB Info:
Netscaler VPX
3. Log on to NetScaler 1000V.
Only one virtual CPU will be shown, because the license is not yet installed on the
VSB.
switch(config-vsb-config)# login virtual-service-blade
nsvsb1
Telnet escape character is '^\'.
Trying 127.1.0.18...
Connected to 127.1.0.18.
Escape character is '^\'.
login: nsroot
Password:
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991,
1992, 1993, 1994
The Regents of the University of California. All
rights reserved.
Done
> sh ver
NetScaler NS10.5: Build 52.3.nc, Date: Sep
22:58:07
Done
> stat cpu
CPU statistics
ID
Usage
1
0
Done
>
4. Verify the configuration of the primary NetScaler 1000V node.
> show node
1)
Node ID:
0
IP:
10.217.205.30 (ns-primary)
Node State: UP
54
3 2014,
Getting Started with Citrix NetScaler 1000V
1/6 1/7
1/6 1/7
Master State: Primary
Fail-Safe Mode: OFF
INC State: DISABLED
Sync State: ENABLED
Propagation: ENABLED
Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
Disabled Interfaces : None
HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
Interfaces on which heartbeats are not seen : 0/2
1/1 1/2 1/3 1/4 1/5 1/6 1/7
Interfaces causing Partial Failure: None
SSL Card Status: NOT PRESENT
Hello Interval: 200 msecs
Dead Interval: 3 secs
Node in this Master State for: 0:0:8:20
(days:hrs:min:sec)
2)
Node ID:
1
IP:
10.217.205.31
Node State: UP
Master State: Secondary
Fail-Safe Mode: OFF
INC State: DISABLED
Sync State: SUCCESS
Propagation: ENABLED
Enabled Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
Disabled Interfaces : None
HA MON ON Interfaces : 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
Interfaces on which heartbeats are not seen : 0/2
1/1 1/2 1/3 1/4 1/5 1/6 1/7
Interfaces causing Partial Failure: None
SSL Card Status: NOT PRESENT
Local node information:
Critical Interfaces: 0/1 0/2 1/1 1/2 1/3 1/4 1/5
1/6 1/7
Done
5. Shutdown NetScaler 1000V. At the Nexus 1010/1110 console, type: switch (configvsb-config)# shut.
6. Allocate resources for NetScaler 1000V on Nexus 1010/1110.
The following example allocates 4 vCPUs and 12288 MB of RAM.
switch (config-vsb-config)# numcpu 4
switch (config-vsb-config)# ramsize 12288
7. Restart NetScaler 1000V. At the Nexus 1010/1110 console, type: switch (configvsb-config)# no shut.
8. Upload the license to the /nsconfig/licence directory on NetScaler 1000V.
> shell
root@ns# cd /nsconfig/license
55
Getting Started with NetScaler 1000V
Copy the new license file to this directory.
>
9. Restart the virtual appliance.
> reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:Y
Done
>
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991,
1992, 1993, 1994
The Regents of the University of California. All rights
reserved.
Done
>
10. Verify that the resources are allocated according to the license installed.
In the following example, three CPUs are allocated.
> stat cpu
CPU statistics
ID
Usage
3
2
0
1
0
Done>
0
Installing SSL Card as an Field Replacement
Unit (FRU)
Installing a separate SSL card helps in offloading the SSL encryption process to a
separate hardware card which results in better SSL performance. The following table
lists the different Nexus I/O configuration for which an SSL card can be installed.
S.
No
Model
Fixed LoM
PCIe Slot (full
height)
PCIe Slot (half
height)
1
Nexus 1110x
2x1G
SSL card
4x1G
2
Nexus 1110x
2x1G
2 x 10G SFP+
SSL card
Complete the following steps to install the SSL card in the PCIe slot of Nexus 1110x.
The steps mentioned are for replacing the 1G card of Nexus 1110x with SSL card.
Prerequisite: Make sure that the FRU kit is shipped with the full height bracket. The
full height bracket is required if you are planning to install the SSL card in the full
height slot.
56
Getting Started with Citrix NetScaler 1000V
1. Shutdown the Nexus 1110x appliance.
2. Remove the top cover of the appliance. To remove the top cover, loosen the green
rear top cover screw and push down and out on the green tabs.
3. Locate the PCIe slot 2 on the back panel of the appliance.
4. Lift out the quad port 1G card from the PCIe slot 2 and remove it from the riser
card.
5. Take the SSL card and insert it into the riser card and insert it back into the PCIe
slot 2.
6. Re-install the top cover and tighten the green color top cover screw.
7. Power on the appliance.
After the SSL card is installed, allocate a bandwidth for crypto-offload based on your
license type. For example, If you are using a 1GBPS license, allocate a bandwidth of
1000 MB.
57
Getting Started with NetScaler 1000V
Allocating bandwidth for crypto-offload
To allocate a bandwidth, type crypto-offload <tps value in MB> command at the
command line interface.
Switch(config)# virtual-service-blade vpx1263
Switch(config-vsb-config)# crypto-offload ?
<10-30000> Bandwidth in MB
Switch(config-vsb-config)# crypto-offload 1000
If the VSB is already switched on but virtual function (VF) is not assigned, complete the
following steps to assign VF to VSB:
1. Shutdown the VSB.
Nexus-01-M(config)# virtual-service-blade vpx1263
Nexus-01-M(config-vsb-config)# shutdown
2. Type the crypto-offload <tps value in MB> command at the command line
interface.
3. Power on the VSB.
Nexus-01-M(config)# virtual-service-blade vpx1263
Nexus-01-M(config-vsb-config)# no shutdown
Installing NetScaler 1000V Virtual Appliances
on Linux-KVM Platform
To set up NetScaler VPX for the Linux-KVM platform, you can use the graphical Virtual
Machine Manager (Virt-Manager) application. If you prefer the Linux-KVM command
line, you can use the virsh program.
The host Linux operating system must be installed on suitable hardware by using
virtualization tools such as KVM Module and QEMU. The number of virtual machines
(VMs) that can be deployed on the hypervisor depends on the application requirement
and the chosen hardware.
You can provision a NetScaler 1000V instance in the following two environments:
w OpenStack environment
w Linux-KVM platform. You can use either of the following tools to install NetScaler
1000V on a Linux-KVM platform:
• Virtual Machine Manager
• Virsh
After you provision a NetScaler virtual appliance, you can add additional interfaces.
58
Getting Started with Citrix NetScaler 1000V
Prerequisites for Installing NetScaler VPX Virtual
Appliances on Linux-KVM Platform
Networking Requirements
NetScaler VPX supports only virtIO para-virtualized network interfaces.
Source Interface and Modes
The source device type can be either Bridge or MacVTap. In case of MacVTap, four
modes are possible - VEPA, Bridge, Private and Pass-through.
The following tables list the types of interfaces that you can use and the supported
traffic types.
For best performance by the NetScaler instance, make sure that the gro and lro
capabilities are switched off on the source interfaces
Table 1-1. Interface Types
Interface Type
Considerations
Source: Bridge
w Linux Bridge.
w Ebtables and iptables settings on host
Linux might filter the traffic on the
bridge if you do not choose the
correct setting or disable IPtable
services.
Source: MacVTap
Mode : VEPA
w Better performance than a bridge.
w Interfaces from the same lower device
can be shared across the VMs.
w Inter-VM communication using the
same lower device is possible only if
upstream or downstream switch
supports VEPA mode.
Source: MacVTap
Mode : Private
w Better performance than a bridge.
w Interfaces from the same lower device
can be shared across the VMs.
w Inter-VM communication using the
same lower device is not possible.
Source: MacVTap
w Better as compared to bridge.
Mode : Bridge
59
Getting Started with NetScaler 1000V
Interface Type
Considerations
w Interfaces out of same lower device
can be shared across the VMs.
w Inter-VM communication using the
same lower device is possible, if lower
device link is UP.
Source: MacVTap
Mode : Pass-through
w Better as compared to bridge.
w Interfaces out of same lower device
cannot be shared across the VMs.
w Only one VM can use the lower
device.
S - Supported.
NS - Not Supported.
Properties Of Source Interfaces
Make sure that you switch off the generic-receive-offload (gro) and large-receiveoffload (lro) capabilities of the source interfaces. To switch off the gro and lro
capabilities, run the following commands at the host Linux shell prompt.
ethtool - k eth6 gro off
ethool - k eth6 lro off
Example
[root@localhost ~]# ethtool -k eth6
Offload parameters for eth6:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: on
[root@localhost ~]#
Example
60
Getting Started with Citrix NetScaler 1000V
If the host Linux bridge is used as a source device, as in the following example, gro
and lro capabilities must be switched off on the vnet interfaces, which are the virtual
interfaces connecting the host to the guest VMs.
[root@localhost ~]# brctl show eth6_br
bridge name
bridge id
STP enabled
eth6_br
8000.00e0ed1861ae
no
[root@localhost ~]#
interfaces
eth6
vnet0
vnet2
In the above example, the two virtual interfaces are derived from the eth6_br and
are represented as vnet0 and vnet2. Run the following commands to switch off gro
and lro capabilities on these interfaces.
ethtool –K vnet0 gro off
ethtool –K vnet2 gro off
ethtool –K vnet0 lro off
ethtool –K vnet2 lro off
Module Required
For better network performance, make sure the vhost_net module is present in the
Linux host. To check the existence of vhost_net module, run the following command
on the Linux host :
Ismod | grep "vhost_net"
If vhost_net is not yet running, enter the following command to run it:
modprobe vhost_net
Limitations and Usage Guidelines
General Recommendations
To avoid unpredictable behavior, apply the following recommendations:
w Do not change the MTU of the vnet interface associated with the NetScaler VM. Shut
down the NetScaler VM before modifying any configuration parameters, such as
Interface modes or CPU.
w Do not force a shutdown of the NetScaler VM. That is, do not use the Force off
command.
w Any configurations done on the host Linux might or might not be persistent,
depending on your Linux distribution settings. You can choose to make these
configurations persistent to ensure consistent behavior across reboots of host Linux
operating system.
w The .raw file has to be unique for each of the NetScaler VPX instance provisioned.
61
Getting Started with NetScaler 1000V
Limitations
A NetScaler VPX setup on the NS 1000V-KVM platform has the following limitations:
w VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge,
MacVTap-Private, MacVTap-VEPA, or MacVTap-Passthrough interface Mode.
w LACP is not supported on Netscaler VPX operating in Bridge, MacVTap-Bridge,
MacVTap-Private, or MacVTap-VEPA interface mode.
w Live Migration of the Netscaler VPX running on KVM is not supported.
w When a VLAN tagged packet destined for a guest VM is received on an Intel IXGBE
10G interface of a KVM host running on Red Hat Enterprise Linux (RHEL) 6.4, the
IXGBE driver of this distribution strips the VLAN tag before sending it to the guest
VM (in this case, NetScaler VPX). Because of this host behavior, a NetScaler VPX
instance running on RHEL6.4 does not receive the intended VLAN tagged packets.
Provisioning the NetScaler 1000V Virtual Appliance
by using OpenStack
You can provision a NetScaler 1000V instance in an Openstack environment either by
using the OpenStack command line interface or the OpenStack dashboard or GUI.
Provisioning a NetScaler instance, optionally involves using data from the config drive.
Config drive is a special configuration drive that attaches to the instance when it
boots. This configuration drive can be used to pass networking configuration like
management IP address, network mask, default gateway etc, which the instance can
mount and access before you configure the network settings for the instance.
When OpenStack provisions a NetScaler instance, it confirms the presence of config
drive by reading the label information on the attached drive. The drive should have a
specific OpenStack label.
If the config drive is detected, the instance attempts to read the following information
from the file name specified in the nova boot command. In the steps mentioned below,
the file is referred as userdata:
w Management IP address
w Network mask
w Default gateway
Once the parameters are successfully read, they are populated in the NetScaler stack.
This helps in managing the instance remotely. If the parameters are not read
successfully or the config drive is not available, the instance transitions to the default
behavior, which is:
w The instance attempts to retrieve the IP address information from DHCP
w If DHCP fails or times-out, the instance comes up with default network configuration
(192.168.100.1/16)
62
Getting Started with Citrix NetScaler 1000V
Provisioning the NetScaler 1000V Virtual Appliance by
using OpenStack Using Command Line Interface
You can provision a NetScaler appliance in an OpenStack environment. Provisioning a
NetScaler Virtual Appliance on OpenStack involves the following three steps:
1. Extracting the .raw file from the .ova file
2. Building an OpenStack image from the raw image
3. Provisioning a NetScaler instance
To provision a NetScaler instance in an OpenStack environment, complete the following
steps:
1. Extract the .raw file from the .ova file.
tar xvzf NetScaler1000V-KVM-10.5-49.3_nc.ova
NetScaler1000V-KVM.xml
NetScaler1000V-KVM-10.5-49.3_nc.raw
checksum.txt
2. Build an OpenStack image using the .raw file extracted in step 1.
glance image-create --name="NS-VPX-10-1-127-1 " --property
hw_disk_bus=ide --is-public=true
--container-format=bare --disk-format=raw < NetScaler1000VKVM-10.1-127.1_nc.raw
In the above command, NS-VPX-10-1-127-1 is the name of the OpenStack image
that you want to create. NetScaler1000V-KVM-10.1-127.1_nc.raw is the
raw file that was extracted from the ova file. The raw file is the input for creating
the OpenStack image.
The following illustration provides a sample output for the glance image-create
command.
63
Getting Started with NetScaler 1000V
3. After an OpenStack image is created, provision the NetScaler virtual appliance
instance.
nova boot --image NS-VPX-10-1-127-1 --config-drive=true
user-data ./userdata.txt
--flavor m1.medium --nic net-id=b8c5acee-36b7-4517af0e-80f8729aa82e vpx10_1_u
--
In the above command, userdata.txt is the file which contains the details like,
IP address, netmask, and default gateway for the NetScaler instance. The
userdata file is a user customizable file. vpx10_1_u is the name of the virtual
appliance that you want to provision.
The following illustration gives a sample output of the nova boot command.
64
Getting Started with Citrix NetScaler 1000V
The following illustration shows a sample of the xml file. The values within the
<PropertySection> </PropertySection> tags are the values which is user
configurable and holds the information like, IP address, netmask, and default
gateway.
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Environment xmlns:oe="http://schemas.dmtf.org/ovf/
environment/1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
oe:id=""
xmlns="http://schemas.dmtf.org/ovf/environment/1">
<PlatformSection>
<Kind>NOVA</Kind>
<Version>2013.1</Version>
<Vendor>Openstack</Vendor>
<Locale>en</Locale>
</PlatformSection>
<PropertySection>
<Property oe:key="com.citrix.netscaler.ovf.version"
oe:value="1.0"/>
<Property oe:key="com.citrix.netscaler.platform"
oe:value="ns1000v"/>
<Property oe:key="com.citrix.netscaler.orch_env"
oe:value="cisco-orch-env"/>
<Property oe:key="com.citrix.netscaler.mgmt.ip"
oe:value="10.102.38.82"/>
<Property oe:key="com.citrix.netscaler.mgmt.netmask"
oe:value="255.255.255.0"/>
65
Getting Started with NetScaler 1000V
<Property oe:key="com.citrix.netscaler.mgmt.gateway"
oe:value="10.102.38.1"/>
</PropertySection>
</Environment>
Provisioning the NetScaler 1000V Virtual Appliance by
using OpenStack Dashboard
You can provisioning NetScaler in an OpenStack environment using the OpenStack
dashboard.
1. Log in to the OpenStack dashboard.
2. In the Project panel on the left hand side of the dashboard, select Instances.
3. In the Instances panel, click Launch Instance to open the Instance Launching
Wizard.
4. In the Launch Instance wizard, fill in the details, like:
a. Instance Name
b. Instance Flavor
c. Instance Count
d. Instance Boot Source
e. Image Name
66
Getting Started with Citrix NetScaler 1000V
5. Click on the Post Creation tab in the wizard. In the Customization Script, add the
content of the userdata file. The userdata file contains the IP address, Netmask
and Gateway details of the NetScaler 1000V instance.
6. Click Launch.
Provisioning the NetScaler Virtual Appliance by
using the Virtual Machine Manager
The Virtual Machine Manager is a desktop tool for managing VM Guests. It enables you
to create new VM Guests and various types of storage, and manage virtual networks.
You can access the graphical console of VM Guests with the built-in VNC viewer and
view performance statistics, either locally or remotely.
After installing your preferred Linux distribution, with KVM virtualization enabled, you
can proceed with provisioning virtual machines.
To provision a NetScaler VPX VM by using Virtual Machine Manager
1. Open the Virtual Machine Manager (Application > System Tools > Virtual Machine
Manager) and enter the logon credentials in the Authenticate window.
2.
Click the
instance.
icon or right-click localhost (QEMU) to create a new NetScaler VPX
67
Getting Started with NetScaler 1000V
3. In the Name text box, enter a name for the new VM (for example, NetScaler-VPX).
4. In the New VM window, under "Choose how you would like to install the operating
system," select Import existing disk image, and then and click Forward.
68
Getting Started with Citrix NetScaler 1000V
5. In the Provide the existing storage path field, navigate the path to the image.
Choose the OS type as UNIX and Version as FreeBSD 6.x. Then, click Forward.
6. Under "Choose Memory and CPU settings," select the following settings, and then
click Forward:
• Memory (RAM)— 2048 MB
• CPUs— 2
69
Getting Started with NetScaler 1000V
7. Select the Customize configuration before install check box. Optionally, under
"Advanced options," you can you can customize the MAC address. Make sure the
Virt Type selected is kvm and the Architecture selected is x86_64. Click Finish.
70
Getting Started with Citrix NetScaler 1000V
8. Select a NIC and provide the following configuration:
• Source device— ethX macvtap or Bridge
• Device model— virtio
• Source mode— Bridge
71
Getting Started with NetScaler 1000V
9. Click Apply, and then click Begin Installation.
After you have provisioned the NetScaler VPX on KVM, you can add additional
interfaces
Adding Additional Interfaces to NetScaler VPX by using
Virtual Machine Manager
After you have provisioned the NetScaler VPX on KVM, you can add additional
interfaces.
To add additional interfaces
1. Shut down the NetScaler VPX instance running on the KVM.
2. Right-click the VPX instance and choose Open from the pop-up menu.
3.
Click the
icon in the header to view the virtual hardware details.
4. Click Add Hardware. In the Add New Virtual Hardware window, select Network
from the navigation menu.
72
Getting Started with Citrix NetScaler 1000V
5. In Host Device field, select the physical interface type. The host device type can
be either Bridge or MacVTap. In case of MacVTap, four modes possible are VEPA,
Bridge, Private and Pass-through.
a. For Bridge
i. Host device— Select the "Specify shared device name" option.
ii. Provide the Bridge name that is configured in the KVM host.
Note: Make sure that you have configured a Linux bridge in the KVM
host, bound the physical interface to the bridge, and put the bridge in the
UP state.
73
Getting Started with NetScaler 1000V
iii. Device model—virtio.
iv. Click Finish.
b. For MacVTap
i. Host device—Select the physical interface from the menu.
ii. Device model—virtio.
74
Getting Started with Citrix NetScaler 1000V
iii. Click Finish. You can view the newly added NIC in the navigation pane.
75
Getting Started with NetScaler 1000V
iv. Select the newly added NIC and select the Source mode for this NIC. The
available modes are VEPA, Bridge, Private, and Passthrough. For more
details on the interface and modes, see Source Interface and Modes.
v. Click Apply.
6. Start the NetScaler VPX VM.
Provisioning the NetScaler Virtual Appliance by
using the virsh Program
The virsh program is a command line tool for managing VM Guests. Its functionality is
similar to that of Virtual Machine Manager. It enables you to change a VM Guest's status
(start, stop, pause, and so on), to set up new Guests and devices, and to edit existing
configurations. The virsh program is also useful for scripting VM Guest management
operations.
To provision NetScaler VPX by using the virsh program
1. Use the tar command to untar the the NetScaler VPX package. The NSVPX-KVM*_nc.tgz package contains following components:
76
Getting Started with Citrix NetScaler 1000V
• The Domain XML file specifying VPX attributes [NSVPX-KVM-*_nc.xml]
• Check sum of NS-VM Disk Image [Checksum.txt]
• NS-VM Disk Image [NSVPX-KVM-*_nc.raw]
Example:
tar -xvzf NSVPX-KVM-10.1-117_nc.tgz
NSVPX-KVM-10.1-117_nc.xml
NSVPX-KVM-10.1-117_nc.raw
checksum.txt
2. Copy the NSVPX-KVM-*_nc.xml XML file to a file named <DomainName>NSVPX-KVM-*_nc.xml. The <DomainName> is also the name of the virtual
machine.
Example:
cp NSVPX-KVM-10.1-117_nc.xml NetScaler-VPX-NSVPXKVM-10.1-117_nc.xml
3. Edit the <DomainName>-NSVPX-KVM-*_nc.xml file to specify the following
parameters:
• name— Specify the name.
• mac— Specify the MAC address.
Note: The domain name and the MAC address have to be unique.
• sourcefile— Specify the absolute disk-image source path. The file path has to be
absolute. In this example, the disk image is at the following location: /root/
NSVPX-KVM-10.1-117_nc.raw.
Example:
<name>NetScaler-VPX</name>
<mac address='52:54:00:29:74:b3'/>
<source file='/root/NSVPX-KVM-10.1-117_nc.raw'/>
4. Edit the <DomainName>-NSVPX-KVM-*_nc.xml file to configure the networking
details:
• source dev— specify the interface.
• mode— specify the mode. The default interface is Macvtap Bridge.
Example:
Mode: MacVTap Bridge
Set target interface as ethx and mode as bridge
Model type as virtio
<interface type='direct'>
<mac address='52:54:00:29:74:b3'/>
77
Getting Started with NetScaler 1000V
<source dev='eth0' mode='bridge'/>
<target dev='macvtap0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
</interface>
Here, eth0 is the physical interface attached to the VM.
5. Define the VM attributes in the <DomainName>-NSVPX-KVM-*_nc.xml file by
using the following command:
virsh define <DomainName>-NSVPX-KVM-*_nc.xml
Example:
virsh define NS-VPX-NSVPX-KVM-10.1-117_nc.xml
6. Start the VM by entering following command:
virsh start [<DomainName> | <DomainUUID>]
Example:
virsh start NetScaler-VPX
7. Connect the Guest VM through the console
virsh console [<DomainName> | <DomainUUID> |<DomainID> ]
Example:
virsh console NetScaler-VPX
Adding Additional Interfaces to NetScaler VPX using virsh
Program
After you have provisioned the NetScaler VPX on KVM, you can add additional
interfaces.
To add additional interfaces
1. Shut down the NetScaler VPX instance running on the KVM.
2. Edit the <DomainName>-NSVPX-KVM-*_nc.xml file using the command:
virsh edit [<DomainName> | <DomainUUID>]
3. In the <DomainName>-NSVPX-KVM-*_nc.xml file, append the following
parameters:
a. For MacVTap
w Interface type— Specify the interface type as 'direct'.
w Mac address— Specify the Mac address and make sure the MAC address is
unique across the interfaces.
78
Getting Started with Citrix NetScaler 1000V
w source dev— Specify the interface name.
w mode— Specify the mode; the modes supported are - Bridge, VEPA, Private,
and Pass-through
w model type— Specify the model type as virtio
Example:
Mode: MacVTap Pass-through
Set target interface as ethx, Mode as bridge, and model type as virtio
<interface type='direct'>
<mac address='52:54:00:29:74:b3'/>
<source dev='eth1' mode='passthrough'/>
<model type='virtio'/>
</interface>
Here eth1 is the physical interface attached to the VM.
b. For Bridge Mode
Note: Make sure that you have configured a Linux bridge in the KVM host,
bound the physical interface to the bridge, and put the bridge in the UP state.
w Interface type— Specify the interface type as 'bridge'.
w Mac address— Specify the Mac address and make sure the MAC address is
unique across the interfaces.
w source bridge— Specify the bridge name.
w model type— Specify the model type as virtio
Example: Bridge Mode
<interface type='bridge'>
<mac address='52:54:00:2d:43:a4'/>
<source bridge='br0'/>
<model type='virtio'/>
</interface>
Installing NetScaler 1000V Virtual Appliances
on VMware ESX
Important: You cannot install standard VMware Tools or upgrade the VMware Tools
version available on a NetScaler virtual appliance. VMware Tools for a NetScaler
virtual appliance are delivered as part of the NetScaler software release.
Before installing NetScaler 1000V virtual appliances on VMware ESX, make sure that
VMware ESX Server is installed on a machine with adequate system resources. To install
79
Getting Started with NetScaler 1000V
NetScaler 1000V on VMware ESXi version 5.0 or 5.1, you use VMware vSphere client.
The client or tool must be installed on a remote machine that can connect to VMware
ESX through the network.
Note: NetScaler 1000V is supported on both the VMware ESX and the VMware ESXi
hypervisor, and is shipped with virtual hardware version 4.
After you install NetScaler 1000V on VMware ESX version 5.0 or 5.1, set up vPath on the
new VM so that it can communicate with the servers. For more information about
vPATH, see " Setting Up vPath on the NetScaler 1000V."
Prerequisites for Installing NetScaler Virtual
Appliances on VMware
Before you begin installing a virtual appliance, do the following:
w Install VMware ESX version 5.0 or later on hardware that meets the minimum
requirements.
w Install VMware Client on a management workstation that meets the minimum
system requirements.
w Download the NetScaler setup files.
w Label the physical network ports of VMware ESX.
Installing NetScaler 1000V on VMware ESX 5.0 or 5.1
After you have installed and configured VMware ESX 5.0 or 5.1, you can use the VMware
vSphere client to install NetScaler 1000V on VMware ESX. The number of virtual
appliances that you can install depends on the amount of memory available on the
hardware that is running VMware ESX.
To install NetScaler 1000V on VMware ESX 5.0 or 5.1 by
using VMware vSphere Client
1. On your workstation, start the VMware vSphere client.
2. In the IP address / Name text box, type the IP address of the VMware ESX server
that you want to connect to.
3. In the User Name and Password text boxes, type the administrator credentials,
and then click Login.
80
Getting Started with Citrix NetScaler 1000V
4. On the File menu, click Deploy OVF Template.
5. In the Deploy OVF Template dialog box, in Deploy from file, browse to the
location at which you saved the NetScaler virtual appliance setup files, select
the .ova file, and click Next.
81
Getting Started with NetScaler 1000V
6. Verify the details.
82
Getting Started with Citrix NetScaler 1000V
7. Specify a name for the virtual appliance.
83
Getting Started with NetScaler 1000V
8. Select a virtual disk format.
84
Getting Started with Citrix NetScaler 1000V
9. Map the networks shown in the OVF template to the networks that you configured
on the ESX host.
85
Getting Started with NetScaler 1000V
10. Review settings and select Power on after deployment to power on the virtual
appliance.
86
Getting Started with Citrix NetScaler 1000V
11. Click Finish to start installing the virtual appliance. When installation is complete,
a pop-up window informs you of successful installation.
12. Optional: If you did not select Power on after deployment in step 10, right-click
the virtual appliance, and select Power > Power On.
87
Getting Started with NetScaler 1000V
13. Click the Console tab, which emulates a console port, and assign an IP address,
subnet mask, and gateway for the virtual appliance. When finished, select 4. Save
and quit.
Verifying NetScaler 1000V Installation on VMware ESX
After installing NetScaler 1000V, type the NetScaler IP address in a web browser and log
on to the NetScaler 1000V virtual appliance. In addition, from the vSphere console,
verify that NetScaler 1000V is powered on.
Installing the License and Verifying the Resources
You can use NetScaler 1000V without a license for 120 days, with throughput limited to
500 Mbps. The trial usage period begins with installation. If you have purchased a
license, install it after verifying that NetScaler 1000V has been correctly installed. You
can install the license by using the command line interface (CLI) or the configuration
utility (GUI).
To install the license and verify the resources by using the command
line interface
1. Shutdown the NetScaler 1000V appliance. At the Nexus 1010/1110 console, type:
switch (config-vsb-config)# shut.
2. Allocate resources for NetScaler 1000V on Nexus 1010/1110.
The following example allocates 4 vCPUs and 12288 MB of RAM.
switch (config-vsb-config)# numcpu 4
switch (config-vsb-config)# ramsize 12288
3. Restart the NetScaler 1000V appliance. At the Nexus 1010/1110 console, type:
switch (config-vsb-config)# no shut.
88
Getting Started with Citrix NetScaler 1000V
4. Upload the license to the /nsconfig/licence directory on NetScaler 1000V.
> shell
root@ns# cd /nsconfig/license
Copy the new license file to this directory.
>
5. Restart the virtual appliance.
> reboot
Are you sure you want to restart NetScaler (Y/N)? [N]:Y
Done
>
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991,
1992, 1993, 1994
The Regents of the University of California. All rights
reserved.
Done
>
6. Verify that the resources are allocated according to the license installed.
In the following example, three CPUs are allocated.
> stat cpu
CPU statistics
ID
Usage
3
2
0
1
0
Done>
0
To install the license and verify the resources by using the
configuration utility
1. On the Configuration tab, navigate to System > Licenses.
2. In the details pane, click Manage Licenses.
3. Click Update Licenses.
4. Click Browse. Navigate to the location of the license files, select the license file,
and then click Open.
5. Click Reboot to apply the license.
6. In the Reboot dialog box, click OK to proceed with the changes, or click Close to
cancel the changes.
7. In a web browser, type the IP address of the NetScaler 1000V virtual appliance.
8. In User Name and Password, type the administrator credentials.
9. On the Dashboard tab, click the arrow next to System Overview and select CPU.
Verify that the resources are allocated according to the license installed.
89
Getting Started with NetScaler 1000V
Upgrading to a Later Build within Release 10.1
To upgrade from an earlier 10.1 build to a later 10.1 build on a standalone NetScaler
appliance or a high availability pair, you can use the configuration utility or the
command line interface. You use the same basic procedure to upgrade either a
standalone appliance or each appliance in a high availability pair, although additional
considerations apply to upgrading a high availability pair.
Upgrading a Standalone NetScaler Appliance to a
Later Build
In the following procedure, <targetbuildnumber> is the build number that you are
upgrading to within the 10.1 release. The procedure includes optional steps to avoid
losing any updates that are pushed to the /etc directory during the upgrade.
To upgrade a standalone NetScaler appliance running
release 10.1 to a later build by using the command line
interface
1. Use an SSH client, such as PuTTy, to open an SSH connection to the appliance.
2. Log on to the appliance by using the administrator credentials, and save the
running configuration. At the prompt, type:
save ns config
3. Create a copy of the ns.conf file. At the shell prompt, type:
a. cd /nsconfig
b. cp ns.conf ns.conf.NS<releasenumber><currentbuildnumber>
You should backup the configuration file to another computer.
4. (Optional) If you have modified any of the following files in the /etc directory,
and copied them to /nsconfig to maintain persistency, any updates that are
pushed to the /etc directory during the upgrade might be lost:
• ttys
• resolv.conf
• sshd_config
• host.conf
• newsyslog.conf
• host.conf
• httpd.conf
• rc.conf
90
Getting Started with Citrix NetScaler 1000V
• syslog.conf
• crontab
• monitrc
To avoid losing these updates, create a /var/nsconfig_backup directory, and move
the customized files to this directory. That is, move any files that you modified
in /etc directory and copied to /nsconfig, by running the following command:
mv /nsconfig/<filename> /var/nsconfig_backup
Example:
mv /nsconfig/syslog.conf /var/nsconfig_backup
5. Create a location for the installation package. At the shell prompt, type:
a. cd/var/nsinstall
b. mkdir <releasenumber>nsinstall
c. cd <releasenumber>nsinstall
d. mkdir build_<targetbuildnumber>
e. cd build_<targetbuildnumber>
6. Download or copy the installation package to this directory.
7. Extract the contents of the installation package.
Example:
tar –xvzf build_10.1-121.10_nc.tgz
8. Run the installns script to install the new version of the system software.
The script updates the /etc directory.
9. When prompted, restart the appliance.
10. Optional: (Optional) If you performed step 4, do the following:
a. Manually compare the files in /var/nsconfig_backup and /etc and make
appropriate changes in /etc.
b. To maintain persistency, move the updated files in /etc to /nsconfig.
c. Restart the appliance to put the changes into effect.
Example
login: nsroot
Password:
Last login: Thu Aug
10.144.7.22
Done
> save ns config
9 12:12:54 2012 from
91
Getting Started with NetScaler 1000V
> shell
Last login: Mon Aug 9 03:51:42 from 10.103.25.64
root@NSnnn# cd /var/nsinstall
root@NSnnn# cd 10.1nsinstall
root@NSnnn# mkdir build_118.7
root@NSnnn# cd build_118.7
root@NSnnn# ftp ... get build-10.1-118.7_nc.tgz
root@NSnnn# tar build-10.1-118.7_nc.tgz
root@NSnnn# ./installns
installns version (10.1-118.7) kernel
(ns-10.1-118.7_nc.gz)
The Netscaler version 10.1-118.7 checksum file is
located on
http://www.mycitrix.com under Support > Downloads
> Citrix NetScaler.
Select the Release 10.1-118.7 link to view the MD5
checksum file for build 10.1-118.7.
There may be a pause of up to 3 minutes while data
is written to the flash.
Do not interrupt the installation process once it
has begun....
...
...
Copying ns-10.1-118.7_nc.gz to /flash/
ns-10.1-118.7_nc.gz ...
...
Installation has completed.
Reboot NOW? [Y/N] Y
To upgrade a standalone NetScaler running release 10.1 to
a later build by using the configuration utility
1. In a web browser, type the IP address of the NetScaler, such as http://
10.102.29.50.
2. In User Name and Password, type the administrator credentials.
3. In Deployment Type, select NetScaler ADC.
4. In Start in, select Configuration, and then click Login, as shown in the following
figure.
92
Getting Started with Citrix NetScaler 1000V
5. In the configuration utility, in the navigation pane, click System.
6. In the System Overview page, click Upgrade Wizard.
7. Follow the instructions to upgrade the software.
8. When prompted, select Reboot.
Note: After the upgrade, close all browser instances and clear your computer's
cache before accessing the appliance.
Upgrading a NetScaler High Availability Pair to a
Later Build
To upgrade the system software on NetScaler appliances in a high availability (HA) pair,
upgrade the secondary node first, and then upgrade the primary node.
Warning: In certain cases, after you upgrade one of the nodes in an HA pair,
synchronization and propagation are automatically disabled until you upgrade the
93
Getting Started with NetScaler 1000V
other node. To determine whether synchronization and propagation are disabled, at
the command line interface, type: show ha node
In the following procedure, machine A is the original primary and machine B is the
original secondary node, and <targetbuildnumber> is the build number that you are
upgrading to within the 10.1 release.
To upgrade a NetScaler high availability pair to a later build
by using the command line interface
On machine B (original secondary node)
1. Follow the procedure for upgrading a standalone node as described in "Upgrading a
Standalone NetScaler Appliance to a Later Build". The procedure includes optional
steps to avoid losing any updates that are pushed to the /etc directory during the
upgrade.
2. After the NetScaler restarts, log on by using the administrator credentials and
enter the show ha node command to verify that the appliance is a secondary
node.
3. Test the new build by entering the force failover command on the secondary node
(machine B). At the command prompt type force failover.
When you do so, machine B becomes the primary node. If machine B does not
function as expected, enter the force failover command on the new primary node
(machine B) forcing it to again become the secondary node, and contact Citrix
Customer Service before proceeding.
4. Enter the show ha node command to verify that machine B is the new primary
node.
On machine A (original primary node)
5. Follow the procedure for upgrading a standalone node as described in "Upgrading a
Standalone NetScaler Appliance to a Later Build." The procedure includes optional
steps to avoid losing any updates that are pushed to the /etc directory during the
upgrade.
6. After the appliance restarts, log on by using the administrator credentials and
enter the show ha node command to verify that the appliance is a secondary node
and that synchronization and propagation are enabled.
Optionally, enter the show ns runningconfig command on both the nodes and
compare the result to verify that the configuration of machine A has been
synchronized with that of machine B.
On machine B (new primary node)
7. Enter the save ns config command to save the current configuration.
On machine A and machine B
8. After successfully upgrading both the nodes, run the show ha node command to
verify that synchronization and propagation are enabled.
94
Getting Started with Citrix NetScaler 1000V
Example
show ha node
Node ID:
0
IP:
10.0.4.2
Node State: UP
Master State: Primary
...
...
INC State: DISABLED
Sync State: ENABLED
Propagation: ENABLED
Enabled Interfaces : 1/1
Disabled Interfaces : None
HA MON ON Interfaces : 1/1
...
...
Local node information
Critical Interfaces: 1/1
Done
Show ha node
Node ID:
0
IP:
10.0.4.11
Node State: UP
Master State: Secondary
..
..
INC State: DISABLED
Sync State: SUCCESS
Propagation: ENABLED
Enabled Interfaces : 1/1
Disabled Interfaces : None
HA MON ON Interfaces : 1/1
. . .
. . .
Local node information:
Critical Interfaces: 1/1
Done
Machine B (original secondary node) is now the primary node and machine A (original
primary node) is now the secondary node.
Downgrading to an Earlier Build within Release
10.1
You can downgrade from a later 10.1 build to an earlier 10.1 build on a standalone
NetScaler or a high availability pair. This procedure must be performed by using the
command line interface.
95
Getting Started with NetScaler 1000V
Warning: Loss in configuration may occur when downgrading. You should
compare the configurations before and after the downgrade, and then manually readd
any missing entries.
Downgrading a Standalone NetScaler to an Earlier
Build
In the procedure below, <targetbuildnumber> is the build number that you are
downgrading to within the same release.
To downgrade a standalone NetScaler to an earlier build
1. Use an SSH client, such as PuTTy, to open an SSH connection to the appliance.
2. Log on to the NetScaler by using the administrator credentials. Save the running
configuration. At the prompt, type:
save ns config
Caution: If ns.conf.NS10.1-<targetbuildnumber> does not exist, loss in
configuration may occur when downgrading to an earlier build. The errors and
warnings appear only on the console. Please watch the console closely for these
errors and warnings. After the appliance restarts, compare the saved configuration
with the running configuration, and make any adjustments for features and entities
configured before the downgrade. Save the running configuration after making the
changes.
3. Change directory to /var/nsinstall/10.1nsinstall.
4. Change directory to build_<targetbuildnumber>, or create one if it does not
exist.
5. Download or copy the installation package (build-10.1<targetbuildnumber>_nc.tgz) to this directory and extract the contents of
the installation package.
6. Run the installns script to install the old version of the system software.
The script updates the /etc directory.
7. When prompted, restart the NetScaler.
Example
login: nsroot
Password: nsroot
Last login: Sun May
10.102.29.4
Done
96
5 08:38:25 2013 from
Getting Started with Citrix NetScaler 1000V
> save ns config
> shell
Last login: Sun Aug 5 09:07:06 from 10.103.25.64
root@NSnnn# cp ns.conf.NS10.1-112.13 ns.conf
root@NSnnn# cd /var/nsinstall
root@NSnnn# cd 10.1nsinstall
root@NSnnn# cd build_112_13
root@NSnnn# ftp ... get build-10.1-112.13_nc.tgz
root@NSnnn# tar xzvf build-10.1-112.13_nc.tgz
root@NSnnn# ./installns
installns version (10.1-112.13) kernel
(ns-10.1-112.13.gz)
...
...
...
Copying ns-10.1-112.13_nc.gz to /flash/
ns-10.1-112.13_nc.gz ...
Changing /flash/boot/loader.conf for
ns-10.1-112.13 ...
Installation has completed.
Reboot NOW? [Y/N] Y
Downgrading a NetScaler High Availability Pair to an
Earlier Build
To downgrade the system software on NetScaler units in a high availability pair, you
need to downgrade the software first on the secondary node and then on the primary
node.
Setting Up vPath on the NetScaler 1000V VPX
After installing the NetScaler 1000V virtual appliance, you must set it up to
communicate with the servers.
In a NetScaler 1000V deployment, the virtual appliance communicates with servers
through the Virtual Ethernet Modules (VEMs). A VEM can only interpret packets that are
encapsulated with vPath service intelligence. Therefore, you must set up the virtual
appliance to apply vPath encapsulation to all packets that are being sent to the server.
vPath uses overlay tunnels to steer traffic to a VSN (for example, a NetScaler virtual
appliance), which can be either Layer 2 or Layer 3 adjacent. For detailed information
on vPath, see "Cisco vPath and vServices Reference Guide for VMware vSphere."
97
Getting Started with NetScaler 1000V
Figure 1-7. NetScaler 1000V with Nexus 1000V
How vPath Works
The NetScaler 1000V virtual appliance encapsulates the packets it receives with a vPath
header so that the vPath module can interpret the packets and forward them to the
server.
Figure 1-8. Packet Flow Using vPath
The above figure illustrates the flow of traffic using vPath:
98
Getting Started with Citrix NetScaler 1000V
1. Client sends request to the NetScaler virtual appliance.
2. The NetScaler virtual appliance encapsulates the client request with a vPath
header and sends the updated packet to the server that is selected by the load
balancing algorithm.
3. The VEM (in which the vPath module is embedded) intercepts and decapsulates the
packet and forwards it to the server.
4. Server responds with the required information.
5. The VEM encapsulates the server response with a vPath header and forwards the
packet to the NetScaler virtual appliance.
6. The NetScaler virtual appliance decapsulates the packet and sends the response to
the client.
Step 1: Configuring vPath on a NetScaler
All data transmitted between the NetScaler 1000V virtual appliance and the server is
vPath encapsulated. By default, vPath is disabled on the NetScaler 1000V virtual
appliance. Therefore, to configure vPath on a NetScaler, you must first enable vPath,
and then configure a SNIP address as the source of the vPath packet when the packet is
forwarded to the switch.
If, in the return flow, the vPath packet is received at an IP address other than the
specified SNIP address, the appliance drops the packet.
To configure vPath on a NetScaler by using the command
line interface
At the command prompt, do the following:
1. Enable vPath on the NetScaler 1000V virtual appliance.
enable ns feature vPath
2. Specify the SNIP address to be used as the source IP address of the vPath packet.
You can also specify whether the NetScaler must offload to the VEM, sessions for
which the NetScaler has no matching configurations and hence not interested in.
set vPathParam -srcIP <ip_addr> -offload <ENABLED | DISABLED>
Note:
• When the offload parameter is enabled, the NetScaler adds an extra 24 bytes
to the vPath header.
• By default, the NetScaler IP (NSIP) address is configured as the vPath source
IP address. However, the show vPathParam command shows the source IP
address as 0.0.0.0.
3. If you have a server that is not configured as a service on the NetScaler, you must
explicitly enable vPath encapsulation as follows:
add vpath <name> (<destIP> [<netmask>] [<gateway>]) -encapMode L3
99
Getting Started with NetScaler 1000V
4. Save the configurations.
save ns config
To configure vPath on a NetScaler by using the graphical
user interface
1. Navigate to Configuration > System > Settings.
2. In the details pane, under Modes and Features, click Configure advanced
features and select the vPath checkbox.
3. Navigate to Configuration > System > Network.
4. In the details pane, under Settings, click Configure VPath Parameters and select
the appropriate SNIP address as the source address.
5. To enable vPath encapsulation on a server that is not configured on the NetScaler,
navigate to Configuration > System > Network > vPath.
6. In the details pane, click Add and provide the required details.
Step 2: Configuring Load Balancing of Backend
Servers
When deployed in front of application servers, NetScaler 1000V ensures optimal
distribution of traffic by the way in which it directs client requests. Administrators can
segment application traffic according to information in the body of an HTTP or TCP
request, and on the basis of L4-L7 header information such as URL, application data
type, or cookie.
Numerous load balancing algorithms and extensive server health checks improve
application availability by ensuring that client requests are directed to the appropriate
servers.
To configure load balancing of servers, do the following:
1. Enable the load balancing feature and the use source IP (USIP) mode of the
NetScaler.
Navigate to Configuration > System > Settings and under Modes and Features do
the following:
a. Click Configure basic features and select the Load Balancing checkbox.
b. Click Configure modes and select the Use Source IP checkbox.
Note: With vPath integration, Source NAT is not required and server return
traffic is redirected to NetScaler 1000V by vPath service attached to the
server VM port. The original source IP is preserved for all connections.
2. Add the required servers as services on the NetScaler 1000V.
100
Getting Started with Citrix NetScaler 1000V
Navigate to Configuration > Traffic Management > Load Balancing > Services,
click Add and configure the details (IP address, port, protocol) of each of the
servers as services on the NetScaler 1000V.
Note: NetScaler 1000V is tightly integrated with the Nexus 1000V vPath
architecture, and will not work without a vPath port-profile attached to the servers.
Therefore, till the port profile configuration (provided in step 3) is done, the service
state may appear as Down.
3. Create a virtual server that will bind these services to the virtual server IP address.
Navigate to Configuration > Traffic Management > Load Balancing > Virtual
Servers, click Add and configure the name, virtual IP address (VIP), protocol, load
balancing method, and the services to be bound to the virtual server.
4. Save the configurations.
Click Save in the upper right hand corner of the interface.
Step 3: Binding Backend Servers to a Port Profile
After performing the vPath configurations on the NetScaler and then configuring the
load balancing virtual server, you must define the NetScaler as a Virtual Service Node
(VSN) and associate it with a port profile. The port profile, which is defined on the
Virtual Supervisor Module (VSM), specifies that all traffic reaching the virtual port of
the server must be redirected to the NetScaler virtual appliance. On the vCenter
Server, you must then bind the port profile to the virtual port that is associated with
the virtual machine.
Note: Every virtual NIC of a virtual machine has a corresponding virtual port on the
Nexus 1000V virtual switch. Each virtual port must be associated with a port profile
that specifies the properties of the device.
To bind backend servers to a port profile
On the Nexus 1000V Virtual Supervisor Module (VSM), do the following
1. Configure the NetScaler virtual appliance as a VSN.
Example: Create a VSN named "NS1" for a NetScaler with IP address 10.102.38.220.
# vservice node NS1 type adc
ip address 10.102.38.220
adjacency l3
fail-mode open
2. Create a port profile for the NetScaler virtual appliance.
Example: Create a port profile named "LB-ON-L3" to be used for the NetScaler
services.
# port-profile type vethernet LB-ON-L3
vmware port-group
switchport mode access
switchport access vlan 1
101
Getting Started with NetScaler 1000V
vservice node NS1
no shutdown
system vlan 1
state enabled
3. On the vCenter Server, bind the port profile to the virtual machine as shown in the
following image:
Note: Repeat this step to bind the required servers to the port profile.
Behavioral Aspects of NetScaler with vPath
Some points to note in a NetScaler 1000V deployment with vPath configured:
w The maximum value for the Maximum Segment Size (MSS) of the default TCP profile
(nstcp_default_profile) is 1380.
w The MSS used by services and virtual servers is determined as follows:
• A service uses the MSS configured for the default TCP profile
(nstcp_default_profile) regardless of the MSS of the TCP profile that is bound to
the service.
• A virtual server uses the MSS that is the lower of the MSS defined for the default
TCP profile (nstcp_default_profile) and the TCP profile that is bound to the
virtual server.
w Supports pre-fragmentation of vPath encapsulated packets. Even packets with Do
not Fragment (DF) bit set are pre-fragmented.
102
Getting Started with Citrix NetScaler 1000V
w When encapsulating a full-size packet with vPath information, if the packet exceeds
the MTU, then, if the icmpErrGenerate parameter is set to ENABLED, the NetScaler
generates an ICMP (Type 3,code 4) fragment needed error message.
NetScaler Features not Supported on the
NetScaler 1000V Virtual Appliance
The following NetScaler features are not supported on NetScaler 1000V hosted on a
Nexus 1010/1110, VMware ESX appliance, or Linux-KVM platform:
w NetScaler Gateway
w CloudBridge Connector
w AppFlow for ICA
This is not listed as a feature and is disabled in the license. You can verify this by
running the sh license command on the NetScaler 1000V command-line interface.
w Call Home
w Interface parameter configurations, such as speed, duplex, and auto-negotiation.
w Interface events, such as link UP and DOWN, because the hypervisor host does not
report these events to NetScaler 1000V.
w L2 Mode is not supported on VMware, Nexus, ESX platforms, and Linux-KVM
platform.
w Because interface events are not reported, the following features are not
supported:
• Static link aggregation
• Dynamic route advertisement for connected networks
• Monitored static routes
• Avoiding split brains in a high availability (HA) setup
• Partial failure detection in an HA setup
In addition, some features are not supported in specific operational modes, others are
not supported when vPath encapsulation is used, and others require that vPath be
explicitly enabled.
On a Nexus 1010/1110 appliance, the following NetScaler features are not supported on
shared interfaces:
w VLAN Tagging
w LACP
On a VMware ESX appliance, the following NetScaler feature is not supported:
w LACP
A NetScaler VPX setup on the NS 1000V-KVM platform has the following limitations:
103
Getting Started with NetScaler 1000V
w VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge,
MacVTap-Private, MacVTap-VEPA, or MacVTap-Passthrough interface Mode.
w LACP is not supported on Netscaler VPX operating in Bridge, MacVTap-Bridge,
MacVTap-Private, or MacVTap-VEPA interface mode.
w Live Migration of the Netscaler VPX running on KVM is not supported.
w When a VLAN tagged packet destined for a guest VM is received on an Intel IXGBE
10G interface of a KVM host running on Red Hat Enterprise Linux (RHEL) 6.4, the
IXGBE driver of this distribution strips the VLAN tag before sending it to the guest
VM (in this case, NetScaler VPX). Because of this host behavior, a NetScaler VPX
instance running on RHEL6.4 does not receive the intended VLAN tagged packets.
The following NetScaler features are not supported when using vPath encapsulation:
w Application Layer Gateways (ALGs)
• Active FTP
• RTSP
• TFTP
• SIP
The following NetScaler features are supported only when vPath encapsulation is
enabled by executing the add vpath -destIP <ip_addr> command:
w Audit logging (AAA)
w Web logging
w AppFlow
Configuring a NetScaler 1000V Virtual
Appliance
The NetScaler 1000V installation procedures include basic configuration. After
installation, you are ready to configure the virtual appliance for your intended use. For
example:
w To configure your appliance as a traffic manager, see the Citrix NetScaler Traffic
Management Guide.
w To configure your appliance for optimization, see Citrix NetScaler Optimization
Guide.
w To configuration your appliance for data security, see Citrix NetScaler Security
Guide.
The guides are available at " http://www.cisco.com/en/US/products/ps13296/
tsd_products_support_series_home.html."
104
Getting Started with Citrix NetScaler 1000V
Note: As described in " NetScaler Features not Supported on the NetScaler 1000V
Virtual Appliance on page 103", the NetScaler 1000V virtual appliance does not
support all NetScaler features.
NetScaler 1000V FAQs
General
How can I find out the number of packet engines running on a NetScaler 1000V
virtual appliance?
At the NetScaler command prompt, type:
stat cpu
The command returns the number of CPUs (packet engines) running on the NetScaler
virtual appliance.
Do interfaces on a NetScaler 1000V virtual appliance receive the link events?
No. Any change in the operational or administrative state of a physical interface is
not communicated to a NetScaler 1000V virtual appliance.
What interface parameter configurations are blocked on a NetScaler 1000V virtual
appliance?
Interface parameters such as speed, duplex, and flow control cannot be set on a
NetScaler 1000V virtual appliance.
What is the command for reversing the ACTIVE/STANDBY roles of a high availability
pair of NetScaler 1000V virtual appliances?
At the NetScaler 1000V command prompt, type:
force failover
How can we access the NetScaler 1000V configuration utility (GUI)?
To access NetScaler 1000V GUI, type the NetScaler IP (NSIP) address of NetScaler
1000V (http://<NSIP address>) in the address field of any browser.
Can two NetScaler 1000V virtual appliances installed on the same Nexus 1010/1110
appliance or on the same VMware ESX appliance be configured in a high availability
setup?
Yes, but it is not recommended. A hardware failure would affect both NetScaler
1000V virtual appliances.
NetScaler 1000V installed on Cisco Nexus 1010/1110
Which NetScaler VSB interface is the management interface?
The management interface of a NetScaler VSB is ns_intf_0 . This interface must be
mapped to the Nexus 1010/1110 management-uplink interface.
105
Getting Started with NetScaler 1000V
What is the purpose of the "internal" interface in a NetScaler VSB?
The Nexus operating system and NetScaler VSB exchange heartbeat messages through
the internal interface.
How can I map a NetScaler interface (logical) to a Nexus Ethernet interface
(physical)?
On the NetScaler VSB, 0/x are management interfaces and 1/x are data interfaces. A
1/x interface is represented internally as ns_intf_x. For example, to map NetScaler
logical interface ns_intf_1 to the Nexus physical interface Ethernet2, at the Nexus
prompt, type:
switch(config)# interface ns_intf_1 uplink Ethernet2
To verify the interface mapping, at the Nexus prompt, type:
sh virtual-service-blade
Example
NEXUS-03# sh virtual-service-blade name vpx_ip6
virtual-service-blade vpx_ip6
Description:
…
…
Legends:
P - Passthrough
------------------------------------------------------------------------Interface
Type
MAC
VLAN
State
Uplink-Int
Pri Sec
Oper Adm
------------------------------------------------------------------------VsbEthernet1/1
ns_intf_0 0002.3d70.e102
1
up
up
Eth1
Eth1
internal
NA
NA
NA
up
up
VsbEthernet1/3
ns_intf_1 0002.3d70.e103
1
up
up
Eth6
Eth6
VsbEthernet1/4
ns_intf_2 0002.3d70.e104
1
up
up
Eth2
Eth2
VsbEthernet1/5
ns_intf_3 0002.3d70.e105
1
up
up
Eth3
Eth3
VsbEthernet1/6
ns_intf_4 0002.3d70.e106
1
up
up
Eth5
Eth5
VsbEthernet1/7
ns_intf_5 0002.3d70.e107
1
up
up
Eth4
Eth4
VsbEthernet1/8
ns_intf_6 0002.3d70.e108
1
up
up
Eth4
Eth4
VsbEthernet1/9
ns_intf_7 0002.3d70.e109
1
up
up
Eth4
Eth4
HA Role: Primary
…
…
106
Getting Started with Citrix NetScaler 1000V
Map the logical and physical interfaces from the above table as follows:
NetScaler Interface
NetScaler representation
of a logical interface (as
seen in Nexus)
Nexus Ethernet Interface
0/1
ns_intf_0
Eth1
0/2
internal
1/1
ns_intf_1
Eth6
1/2
ns_intf_2
Eth2
1/3
ns_intf_3
Eth3
1/4
ns_intf_4
Eth5
1/5
ns_intf_5
Eth4
1/6
ns_intf_6
Eth4
1/7
ns_intf_7
Eth4
What is the output of the sh virtual-service-blade command for a NetScaler
VSB that has failed and dumped core?
If a NetScaler VSB fails and dumps core, it does not send heartbeat signals to the
Nexus operating system, and the status of the NetScaler VSB is shown as POWERED
OFF.
NetScaler 1000V installed on VMware ESX 5.0/5.1
What VMware versions does NetScaler 1000V support?
NetScaler 1000V supports VMware ESX 5.0 and 5.1, and VMware EXSi 5.0 and 5.1.
For VMware, how many virtual network interfaces can you allocate to a NetScaler
1000V virtual appliance?
You can allocate up to 10 virtual network interfaces to a NetScaler 1000V virtual
appliance.
From vSphere, how can we access the NetScaler 1000V command line?
The VMware vSphere client provides built-in access to the NetScaler 1000V command
line through a console tab. Additionally, you can use any SSH client to access the
command line. In an SSH client, use the NSIP address of the NetScaler 1000V.
107
Getting Started with NetScaler 1000V
Troubleshooting a NetScaler 1000V installed on
a Nexus 1010/1110 appliance
If your NetScaler 1000V virtual appliance installed on a Nexus 1010/1110 does not work
as expected, check the following list for a possible solution.
The throughput of a logical interface of the NetScaler VSB is less than the
throughput of a physical Ethernet interface on the Nexus 1010/1110 appliance.
1. Identify the logical interface on the NetScaler VSB and the mapped physical
Ethernet interface on the Nexus 1010/1110.
2. Verify that the Ethernet interface is configured in pass-through mode. Citrix
recommends pass-through mode for data ports. Shared mode can be used only
for the management port.
The NetScaler VSB is not accessible through its NetScaler IP (NSIP) address.
1. Log on to Nexus 1010/1110 management IP address. This is the console for the
VSBs.
2. At the Nexus prompt, type:
sh virtual service blade
All the VSBs provisioned on Nexus 1010/1110 are displayed.
3. Identify the NetScaler VSB by its name and check its power status. If the VSB is
powered off, perform power on. If the VSB is powered on, log on to NetScaler
VSB as an administrator from the Nexus console, and diagnose.
4. Map the 0/1 interface on NetScaler VSB to the Ethernet interface on the Nexus
1010/1110.
5. Check to see if the Ethernet interface link is UP.
6. Check the configuration elements, such as VLAN, of the Ethernet interface.
The NetScaler VSB does not have the number of packet engines indicated by the
license.
1. Log on to the Nexus 1100 management IP address. This is the console for
NetScaler VSBs.
2. At the Nexus prompt, type:
sh virtual service blade
3. Identify the number of vCPUs allocated to the NetSaler VSB.
4. Check the RAM size.
5. Verify that the vCPUs and RAM are allocated according to the license installed on
the NetScaler VSB.
6. If the number of vCPUs or RAM allocated to the NetScaler VSB is less than
indicated by the license, power off the VSB, change the number of vCPUs and
the size of the RAM, and then power on the VSB.
108
Getting Started with Citrix NetScaler 1000V
Traffic is not passing through a NetScaler VSB interface, or excessive transmission
overflow (nic_err_tx_overflow) is occurring on the interface, or the interface is
dropping too many (nic_err_tx_dropped) transmissions.
1. Map the logical interface to the physical Ethernet interface on the Nexus
1010/1110.
2. Check to see if the Ethernet interface link is UP.
3. Check the configuration elements, such as VLAN, of the Ethernet interface.
4. If the Ethernet interface is shared, check from other VSBs sharing it, to see if it
is working for those VSBs.
LACP is not working in a NetScaler VSB.
LACP works in only pass-through interface mode.
1. Map the logical interface to the physical Ethernet interface on the Nexus
1010/1110.
2. Verify that the interface is configured in pass-through mode.
109